# I think that I have rootkit or other malware on my computer.



## referee07 (Sep 11, 2003)

I think that I have rootkit or other malware on my computer. I can't open Malwarebytes and when I try to open the program, I get a notice that IE had to shut down. I downloaded and ran Malwarebytes anti-root kit software, but it can't update and it often gave the notice that it had to stop. Also, the fan on my computer seems to run too much of the time. Below are the requested logs. Thanks for the help with this.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:50:38 AM, on 6/8/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\ProgramData\FLEXnet\Connect\11\agent.exe
C:\Program Files (x86)\Password Safe\pwsafe.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Transparent\Byki 4\Deluxe\BYKI4Deluxe.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\WxEx\WxEx.exe
C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Users\Carl\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mentalfloss.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Lync Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll
O2 - BHO: RoboForm BHO - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~4\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ads Removal - {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} - C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL
O2 - BHO: Advanced SystemCare Browser Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~2\IObit\SURFIN~1\BROWER~1\ASCPLU~1.DLL
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTibMounterMonitor] C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking12\Ereg.ini"
O4 - HKLM\..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Advanced SystemCare 7] "C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe" /Auto
O4 - HKCU\..\Run: [StrongVPN Client] "C:\Program Files (x86)\StrongVPN\StrongDial.exe" --silent
O4 - HKCU\..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Password Safe.lnk = C:\Program Files (x86)\Password Safe\pwsafe.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
O8 - Extra context menu item: Show RoboForm Toolbar - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dll
O9 - Extra button: PrivDog - {2F5C139F-79BD-4C84-A95A-E7140525BC55} - (no file)
O9 - Extra button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra 'Tools' menuitem: Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h50203.www5.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - https://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - http://support.dell.com/systemprofiler/DellSystemLite.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA96233-8E7B-464F-9E92-400468F30591}: NameServer = 216.169.129.2 216.169.130.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{71954841-135B-4F40-A9CD-043CD2C0A4F6}: NameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{722ED704-906C-46A6-8370-CBEB7A9BB0F6}: NameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF3FE39-CF32-4E36-94DA-895958524BDA}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC9D303B-2D0C-4783-87DA-46DD644894B0}: NameServer = 0.0.0.0
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Advanced SystemCare Service 7 (AdvancedSystemCareService7) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: Acronis Nonstop Backup Service (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Driver Management Service (BcmBtRSupport) - Unknown owner - C:\Windows\system32\BtwRSupportService.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: COMODO Virtual Service Manager (cmdvirth) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe
O23 - Service: Dragon Service (DragonSvc) - Nuance Communications, Inc. - C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe
O23 - Service: GoodSync Server (GsServer) - Unknown owner - C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate (LiveUpdateSvc) - IObit - C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\x64\3\\lxdnserv.exe
O23 - Service: lxdn_device - - C:\Windows\system32\lxdncoms.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Wireless PAN DHCP Server (MyWiFiDHCPDNS) - Unknown owner - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: StrongVPN Service - Black Oak Computers, Inc. - C:\Program Files (x86)\StrongVPN\StrongService.exe
O23 - Service: Acronis Sync Agent Service (syncagentsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 21033 bytes

Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium 
Boot Device: \Device\HarddiskVolume2
Install Date: 3/20/2011 8:25:46 AM
System Uptime: 6/8/2014 8:23:43 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 021CN3
Processor: Intel(R) Core(TM) i3 CPU M 380 @ 2.53GHz | U2E1 | 2533/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 195.417 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP721: 5/30/2014 9:03:43 PM - Registry Reviver Restore Point (05/30/14)
RP723: 5/30/2014 9:22:21 PM - Registry Reviver Restore Point (05/30/14)
RP724: 5/30/2014 11:46:17 PM - Installed Microsoft Office Word Viewer 2003
RP725: 5/31/2014 12:04:03 AM - Windows Update
RP726: 5/31/2014 8:28:48 AM - Installed Compatibility Pack for the 2007 Office system
RP727: 5/31/2014 8:32:49 AM - Removed Compatibility Pack for the 2007 Office system
RP728: 6/1/2014 12:05:43 AM - Windows Update
RP730: 6/1/2014 9:35:20 AM - Registry Reviver Restore Point (06/01/14)
RP731: 6/1/2014 4:30:32 PM - Restore Operation
RP733: 6/1/2014 4:46:39 PM - Registry Reviver Restore Point (06/01/14)
RP735: 6/2/2014 6:46:47 PM - Registry Reviver Restore Point (06/02/14)
RP737: 6/3/2014 9:38:08 PM - Registry Reviver Restore Point (06/03/14)
RP739: 6/5/2014 9:28:09 PM - Registry Reviver Restore Point (06/05/14)
RP741: 6/6/2014 8:07:10 PM - Registry Reviver Restore Point (06/06/14)
RP742: 6/6/2014 11:57:49 PM - Windows Update
RP744: 6/7/2014 8:57:57 AM - Registry Reviver Restore Point (06/07/14)
RP745: 6/7/2014 11:48:07 AM - IObit Uninstaller restore point
RP747: 6/8/2014 8:41:56 AM - Registry Reviver Restore Point (06/08/14)
.
==== Installed Programs ======================
.
4500_Help
4500_K710_Help_web
4500K710_Software_Min
4500K710_Web
64 Bit HP CIO Components Installer
ActiveCheck component for HP Active Support Library
Adobe Flash Player 13 ActiveX
Adobe Reader X (10.1.10)
Advanced Audio FX Engine
Advanced SystemCare 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Audible Download Manager
Auslogics Disk Defrag
Belarc Advisor 8.3
Bonjour
bpd_scan
BPDSoftware
BPDSoftware_Ini
Broadcom Gigabit NetLink Controller
BufferChm
Business Plan Pro 2004
Byki
Byki Deluxe
CCleaner
Comodo Dragon
COMODO Internet Security
Comodo TrustConnect v.1.7.3
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Driver Download Manager
Dell Edoc Viewer
Dell Getting Started Guide
Dell Home Systems Service Agreement
Dell Product Registration
Dell VideoStage
Dell Webcam Central
Destinations
DeviceDiscovery
Dragon NaturallySpeaking 12
Driver Reviver
ESET NOD32 Antivirus
Fax
FileZilla Client 3.7.1.1
GoodSync
Google Toolbar for Internet Explorer
Google Update Helper
Google+ Auto Backup
GoToAssist Corporate
GPBaseService2
Hancom Office 2010 SE+ Viewer
Hewlett-Packard ACLM.NET v1.1.0.0
HP Imaging Device Functions 13.0
HP Officejet 4500 K710
HP Product Detection
HP Solution Center 13.0
HPAsset component for HP Active Support Library
HPProductAssistant
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Components
Intel(R) PROSet/Wireless WiFi Software
Intel(R) Rapid Storage Technology
Internet Explorer
Internet Explorer (Enable DEP)
IObit Uninstaller
iTunes
ITunes Duplicate Remover
J4500
Java 7 Update 51
Java Auto Updater
Junk Mail filter update
Korean Fonts Support For Adobe Reader X
Lexmark 2600 Series
Magic DVD Copier V6.1.0
Magic DVD Ripper V6.1.0
Malwarebytes Anti-Malware version 2.0.2.1012
MediaWidget 6.0
Mesh Runtime
Messenger Companion
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Mouse and Keyboard Center
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Professional Plus 2013 - en-us
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyDataBase
Network64
Office 15 Click-to-Run Extensibility Component
Office 15 Click-to-Run Licensing Component
Office 15 Click-to-Run Localization Component
Officejet J4500 Series
Palm Desktop by ACCESS
ParetoLogic Privacy Controls
Password Safe
Picasa 3
ProductContext
Quicken 2004
Quickset64
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
RealUpgrade 1.1
Registry Reviver
RoboForm 7-9-7-5 (All Users)
Rosetta Stone Ltd Services
Roxio Burn
Scan
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2878284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2863926) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
SES Driver
Skype Toolbars
Skype 6.11
SolutionCenter
Spybot - Search & Destroy
SpywareBlaster 5.0
Status
StrongVPN Client version 1.2
SUPERAntiSpyware
Surfing Protection
Synaptics Pointing Device Driver
TAP-Windows 9.9.2
TheSage
Toolbox
TrayApp
TreePad PLUS 7.7
True Image 2013
Unity Web Player
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking 64bit (x64)
Weather Exchange
WebReg
WIDCOMM Bluetooth Software
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (03/06/2009 1.0.0008.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinZip 18.0
WordWeb Pro
WYO Home Inventory 4.20
.
==== Event Viewer Messages From Past Week ========
.
6/8/2014 8:41:34 AM, Error: NetBT [4311] - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000010000C000000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. 
6/8/2014 8:24:50 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the lxdnCATSCustConnectService service to connect.
6/8/2014 8:24:50 AM, Error: Service Control Manager [7000] - The lxdnCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/8/2014 8:23:46 AM, Error: volmgr [46] - Crash dump initialization failed!
6/7/2014 9:50:35 PM, Error: NetBT [4311] - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000010000C004000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. 
6/7/2014 9:42:59 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the afcdpsrv service.
6/7/2014 8:00:12 PM, Error: NetBT [4311] - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000010000C003000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. 
6/7/2014 7:59:44 PM, Error: NetBT [4311] - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000010000C002000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. 
6/7/2014 7:59:41 PM, Error: BTHUSB [17] - The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.
6/7/2014 12:38:12 PM, Error: NetBT [4311] - Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000010000C001000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name. 
.
==== End Of File ===========================

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17041 BrowserJavaVersion: 10.51.2
Run by Carl at 8:59:14 on 2014-06-08
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.735 [GMT 9:00]
.
AV: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\BtwRSupportService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe
C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\system32\lxdncoms.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\StrongVPN\StrongService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ReviverSoft\Driver Reviver\DriverReviver.exe
C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 7\Monitor.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\ProgramData\FLEXnet\Connect\11\agent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Password Safe\pwsafe.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
C:\Program Files\COMODO\COMODO Internet Security\cis.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\StrongVPN\StrongDial.exe
C:\Program Files (x86)\Transparent\Byki 4\Deluxe\BYKI4Deluxe.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\WxEx\WxEx.exe
C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\taskhost.exe
C:\Users\Carl\Desktop\HijackThis.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mentalfloss.com/
uSearch Bar = Preserve
uSearch Page = hxxp://www.google.com
mSearch Page = hxxp://www.google.com/
mDefault_Search_URL = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/
mWinlogon: Userinit = userinit.exe,
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Ads Removal: {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} - C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Advanced SystemCare Browser Protection: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [Advanced SystemCare 7] "C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe" /Auto
uRun: [StrongVPN Client] "C:\Program Files (x86)\StrongVPN\StrongDial.exe" --silent
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
mRun: [ISUSScheduler] "C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe" -start
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [AcronisTibMounterMonitor] C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
mRun: [DNS7reminder] "C:\Program Files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe" -r "C:\ProgramData\Nuance\NaturallySpeaking12\Ereg.ini"
mRun: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Carl\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PASSWO~1.LNK - C:\Program Files (x86)\Password Safe\pwsafe.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Customize Menu - C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Fill Forms - C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
IE: Save Forms - C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001051-0002-0051-ABCDEFFEDCBC} - <orphaned>
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {2F5C139F-79BD-4C84-A95A-E7140525BC55} - {5B06364D-FF00-4BD5-9D01-4379952513F2} - <orphaned>
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
TCP: NameServer = 168.126.63.1 168.126.63.2
TCP: Interfaces\{1DA96233-8E7B-464F-9E92-400468F30591} : NameServer = 216.169.129.2 216.169.130.2
TCP: Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0} : DHCPNameServer = 168.126.63.1 168.126.63.2
TCP: Interfaces\{71954841-135B-4F40-A9CD-043CD2C0A4F6} : NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{722ED704-906C-46A6-8370-CBEB7A9BB0F6} : NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA} : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B20273131313 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B20273131313 : DHCPNameServer = 203.248.252.2
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B273130343 : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B273130343 : DHCPNameServer = 203.248.252.2 164.124.101.2 208.67.222.222
TCP: Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0} : NameServer = 0.0.0.0
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: ExplorerWnd Helper: {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-BHO: PrivDog Extension: {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
x64-TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
x64-Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray
x64-Run: [EzPrint] "C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe"
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {2F5C139F-79BD-4C84-A95A-E7140525BC55} - {5B06364D-FF00-4BD5-9D01-4379952513F2} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 fltsrv;Acronis Storage Filter Management;C:\Windows\System32\drivers\fltsrv.sys [2011-12-2 108832]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-1-21 55280]
R0 tib;Acronis TIB Manager;C:\Windows\System32\drivers\tib.sys [2013-10-13 1120032]
R0 tib_mounter;Acronis TIB Mounter;C:\Windows\System32\drivers\tib_mounter.sys [2013-10-13 183224]
R0 vididr;Acronis Virtual Disk;C:\Windows\System32\drivers\vididr.sys [2013-10-13 161568]
R0 vidsflt;Acronis Disk Storage Filter;C:\Windows\System32\drivers\vidsflt.sys [2012-12-14 117024]
R1 cmderd;COMODO Internet Security Eradication Driver;C:\Windows\System32\drivers\cmderd.sys [2013-1-16 23168]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;C:\Windows\System32\drivers\cmdguard.sys [2013-1-16 738472]
R1 cmdHlp;COMODO Internet Security Helper Driver;C:\Windows\System32\drivers\cmdhlp.sys [2013-1-16 48360]
R1 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2013-9-17 239320]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-23 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-13 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-12 140672]
R2 AdvancedSystemCareService7;Advanced SystemCare Service 7;C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe [2013-11-11 881952]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-1-21 98208]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2013-10-13 3783672]
R2 BcmBtRSupport;Bluetooth Driver Management Service;C:\Windows\System32\BtwRSupportService.exe [2013-10-28 2255064]
R2 ClickToRunSvc;Microsoft Office ClickToRun Service;C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe [2014-5-24 2266296]
R2 DragonSvc;Dragon Service;C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe [2012-7-18 310232]
R2 DragonUpdater;COMODO Dragon Update Service;C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2014-5-21 2135232]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2013-9-12 1337752]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2013-9-17 157432]
R2 GsServer;GoodSync Server;C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe [2014-2-15 8117904]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-4-16 13336]
R2 lxdn_device;lxdn_device;C:\Windows\System32\lxdncoms.exe -service --> C:\Windows\System32\lxdncoms.exe -service [?]
R2 RosettaStoneDaemon;RosettaStoneDaemon;C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [2011-4-15 1646056]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-6-16 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-6-16 1033688]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-6-16 171928]
R2 StrongVPN Service;StrongVPN Service;C:\Program Files (x86)\StrongVPN\StrongService.exe [2013-2-25 97776]
R2 syncagentsrv;Acronis Sync Agent Service;C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [2013-3-20 7084672]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-1-21 2533400]
R3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2013-10-13 367200]
R3 bcbtums;Bluetooth USB LD Filter;C:\Windows\System32\drivers\bcbtums.sys [2013-10-28 170712]
R3 btwampfl;btwampfl;C:\Windows\System32\drivers\btwampfl.sys [2013-8-9 166104]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2012-1-8 35104]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2011-1-21 175168]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-1-21 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-1-21 158976]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-11-27 317440]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2011-1-21 74280]
R3 tapstrong;StrongVPN Adapter;C:\Windows\System32\drivers\tapstrong.sys [2013-2-25 35520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 LiveUpdateSvc;LiveUpdate;C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2013-11-11 2152736]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxdnserv.exe [2009-4-28 29184]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\System32\drivers\ssadadb.sys [2011-5-13 36328]
S3 btusbflt;Bluetooth USB Filter;C:\Windows\System32\drivers\btusbflt.sys [2010-4-14 54824]
S3 cmdvirth;COMODO Virtual Service Manager;C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-1-24 2264280]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-11 111616]
S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2014-6-7 92888]
S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2010-3-6 340240]
S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2011-1-21 7680512]
S3 rcmirror;rcmirror;C:\Windows\System32\drivers\rcmirror.sys [2010-1-18 4608]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-12-9 19456]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUStor.sys [2011-1-21 250984]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\System32\drivers\ssadbus.sys [2011-5-13 157672]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\System32\drivers\ssadmdfl.sys [2011-5-13 16872]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\System32\drivers\ssadmdm.sys [2011-5-13 177640]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);C:\Windows\System32\drivers\ssadserd.sys [2011-5-13 146920]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-12-9 57856]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-6-16 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== File Associations ===============
.
FileExt: .vbe: VBEFile=NOTEPAD.EXE %1
FileExt: .vbs: VBSFile=NOTEPAD.EXE %1
FileExt: .js: JSFile=NOTEPAD.EXE %1
FileExt: .jse: JSEFile=NOTEPAD.EXE %1
FileExt: .wsf: WSFFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2014-06-07 11:52:14	75888	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{30F7CF17-E210-4477-BE93-FC88765E6CB2}\offreg.dll
2014-06-07 03:02:33	--------	d-----w-	C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-06-07 02:54:42	92888	----a-w-	C:\Windows\System32\drivers\mbamchameleon.sys
2014-06-07 02:54:42	63704	----a-w-	C:\Windows\System32\drivers\mwac.sys
2014-06-07 02:54:42	25816	----a-w-	C:\Windows\System32\drivers\mbam.sys
2014-06-07 02:54:42	--------	d-----w-	C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-06 14:58:25	10702536	----a-w-	C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{30F7CF17-E210-4477-BE93-FC88765E6CB2}\mpengine.dll
2014-06-03 13:02:56	--------	d-----w-	C:\Program Files (x86)\iTunes
2014-05-30 14:46:08	--------	d-----w-	C:\Program Files (x86)\MSECache
2014-05-24 02:42:39	589008	----a-w-	C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-05-24 02:35:58	--------	d-----w-	C:\ProgramData\regid.1991-06.com.microsoft
2014-05-24 02:25:04	--------	d-----w-	C:\Program Files\Microsoft Office 15
2014-05-19 11:25:32	477184	----a-w-	C:\Windows\System32\aepdu.dll
2014-05-19 11:25:30	424448	----a-w-	C:\Windows\System32\aeinv.dll
2014-05-17 01:26:21	--------	d-----w-	C:\Users\Carl\AppData\Roaming\ProductData
2014-05-16 00:39:08	773968	----a-w-	C:\Windows\SysWow64\msvcr100.dll
2014-05-16 00:39:08	421200	----a-w-	C:\Windows\SysWow64\msvcp100.dll
2014-05-15 12:56:10	2724864	----a-w-	C:\Windows\SysWow64\mshtml.tlb
2014-05-15 12:56:07	2724864	----a-w-	C:\Windows\System32\mshtml.tlb
2014-05-10 10:13:40	--------	d-----w-	C:\ProgramData\RegistryReviver.exe
.
==================== Find3M ====================
.
2014-06-07 03:02:32	128728	----a-w-	C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-29 11:03:06	48392	----a-w-	C:\Windows\SysWow64\certsentry.dll
2014-05-29 11:03:04	57096	----a-w-	C:\Windows\System32\certsentry.dll
2014-05-16 02:07:02	829264	----a-w-	C:\Windows\System32\msvcr100.dll
2014-05-16 02:07:02	608080	----a-w-	C:\Windows\System32\msvcp100.dll
2014-05-14 13:48:47	692400	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-14 13:48:46	70832	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-16 21:12:56	48360	----a-w-	C:\Windows\System32\drivers\cmdhlp.sys
2014-04-16 21:12:55	738472	----a-w-	C:\Windows\System32\drivers\cmdguard.sys
2014-04-16 21:12:55	23168	----a-w-	C:\Windows\System32\drivers\cmderd.sys
2014-04-14 17:34:10	1070232	----a-w-	C:\Windows\SysWow64\MSCOMCTL.OCX
2014-04-12 02:22:05	95680	----a-w-	C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05	155072	----a-w-	C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38	29184	----a-w-	C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38	136192	----a-w-	C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37	28160	----a-w-	C:\Windows\System32\secur32.dll
2014-04-12 02:19:32	1460736	----a-w-	C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05	31232	----a-w-	C:\Windows\System32\lsass.exe
2014-04-12 02:12:06	22016	----a-w-	C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56	96768	----a-w-	C:\Windows\SysWow64\sspicli.dll
2014-03-31 00:35:08	270496	------w-	C:\Windows\System32\MpSigStub.exe
2014-03-25 19:22:37	43216	----a-w-	C:\Windows\System32\cmdcsr.dll
2014-03-25 19:22:36	363504	----a-w-	C:\Windows\SysWow64\guard32.dll
2014-03-25 19:22:35	453680	----a-w-	C:\Windows\System32\guard64.dll
2014-03-25 19:22:29	352984	----a-w-	C:\Windows\System32\cmdvrt64.dll
2014-03-25 19:22:28	45784	----a-w-	C:\Windows\System32\cmdkbd64.dll
2014-03-25 19:22:25	284888	----a-w-	C:\Windows\SysWow64\cmdvrt32.dll
2014-03-25 19:22:23	40664	----a-w-	C:\Windows\SysWow64\cmdkbd32.dll
2014-03-16 00:28:17	484864	----a-w-	C:\Windows\System32\wer.dll
2014-03-16 00:28:17	381440	----a-w-	C:\Windows\SysWow64\wer.dll
2014-03-16 00:27:05	228864	----a-w-	C:\Windows\System32\wwansvc.dll
2009-07-06 01:43:32	943104	----a-w-	C:\Program Files\amis.exe


----------



## referee07 (Sep 11, 2003)

I don't think that the GMER scan was posted and so I am posting it here and the following pages:

============= FINISH: 9:01:46.42 ===============
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-06-08 10:03:34
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.D005 465.76GB
Running: f6p7s1lr.exe; Driver: C:\Users\Carl\AppData\Local\Temp\pxryypog.sys

---- Kernel code sections - GMER 2.1 ----

INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800045b8000 45 bytes [00, 00, 05, 02, 4D, 6C, 6F, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800045b802f 16 bytes [00, 01, 00, 00, 00, 01, 00, ...]

---- User code sections - GMER 2.1 ----

.text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a01360 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a01560 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 8 bytes JMP 000000016fff0148
.text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077a01360 8 bytes JMP 000000016fff00d8
.text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077a01560 8 bytes JMP 000000016fff0110
.text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 8 bytes JMP 000000016fff0148
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\services.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff844750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd5c50a0 6 bytes {JMP QWORD [RIP+0x6af90]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 0000000077796ef0 6 bytes {JMP QWORD [RIP+0x8c49140]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SystemParametersInfoA 0000000077798184 6 bytes {JMP QWORD [RIP+0x8d27eac]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetParent 0000000077798530 6 bytes {JMP QWORD [RIP+0x8c67b00]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowLongA 0000000077799bcc 6 bytes {JMP QWORD [RIP+0x89c6464]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostMessageA 000000007779a404 6 bytes {JMP QWORD [RIP+0x8a05c2c]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!EnableWindow 000000007779aaa0 6 bytes {JMP QWORD [RIP+0x8d65590]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!MoveWindow 000000007779aad0 6 bytes {JMP QWORD [RIP+0x8c85560]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetAsyncKeyState 000000007779c720 6 bytes {JMP QWORD [RIP+0x8c23910]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!RegisterHotKey 000000007779cd50 6 bytes {JMP QWORD [RIP+0x8d032e0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostThreadMessageA 000000007779d2b0 6 bytes {JMP QWORD [RIP+0x8a42d80]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageA 000000007779d338 6 bytes {JMP QWORD [RIP+0x8a82cf8]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendNotifyMessageW 000000007779dc40 6 bytes {JMP QWORD [RIP+0x8b623f0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SystemParametersInfoW 000000007779f510 6 bytes {JMP QWORD [RIP+0x8d40b20]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowsHookExW  000000007779f874 6 bytes {JMP QWORD [RIP+0x89807bc]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 000000007779fac0 6 bytes {JMP QWORD [RIP+0x8ae0570]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostThreadMessageW 00000000777a0b74 6 bytes {JMP QWORD [RIP+0x8a5f4bc]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowLongW 00000000777a33b0 6 bytes {JMP QWORD [RIP+0x89dcc80]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 00000000777a4d4d 5 bytes {JMP QWORD [RIP+0x899b2e4]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetKeyState 00000000777a5010 6 bytes {JMP QWORD [RIP+0x8bfb020]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageCallbackW 00000000777a5438 6 bytes {JMP QWORD [RIP+0x8b1abf8]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageW 00000000777a6b50 6 bytes {JMP QWORD [RIP+0x8a994e0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!PostMessageW 00000000777a76e4 6 bytes {JMP QWORD [RIP+0x8a1894c]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 00000000777add90 6 bytes {JMP QWORD [RIP+0x8b922a0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetClipboardData 00000000777ae874 6 bytes {JMP QWORD [RIP+0x8cd17bc]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetClipboardViewer 00000000777af780 6 bytes {JMP QWORD [RIP+0x8c908b0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000777b28e4 6 bytes {JMP QWORD [RIP+0x8b2d74c]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!mouse_event 00000000777b3894 6 bytes {JMP QWORD [RIP+0x892c79c]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!GetKeyboardState 00000000777b8a10 6 bytes {JMP QWORD [RIP+0x8bc7620]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 00000000777b8be0 6 bytes {JMP QWORD [RIP+0x8aa7450]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SetWindowsHookExA 00000000777b8c20 6 bytes {JMP QWORD [RIP+0x8947410]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendInput 00000000777b8cd0 6 bytes {JMP QWORD [RIP+0x8ba7360]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!BlockInput 00000000777bad60 6 bytes {JMP QWORD [RIP+0x8ca52d0]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000777e14e0 6 bytes {JMP QWORD [RIP+0x8d3eb50]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!keybd_event 00000000778045a4 6 bytes {JMP QWORD [RIP+0x88bba8c]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007780cc08 6 bytes {JMP QWORD [RIP+0x8b13428]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007780df18 6 bytes {JMP QWORD [RIP+0x8a92118]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\services.exe[776] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!DeleteDC  000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 10002
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 656c676f
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 0
.text C:\Windows\system32\lsass.exe[784] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000000d750a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text  C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 61004e
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\lsm.exe[792] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011750a0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff844750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[912] C:\Windows\system32\GDI32.dll!PlgBlt  000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[912] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000012550a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes [FC, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70fa000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 2:

.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70df000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70df000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7100000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7100000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes [ED, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes [D5, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes [EA, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes [D2, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes [E7, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes [F6, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes [F3, 70]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes {JMP QWORD [RIP+0x718c001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes {JMP QWORD [RIP+0x716e001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes {JMP QWORD [RIP+0x7174001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes {JMP QWORD [RIP+0x7186001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes {JMP QWORD [RIP+0x7189001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes {JMP QWORD [RIP+0x7171001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714e000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7109000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes {JMP QWORD [RIP+0x7147001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes {JMP QWORD [RIP+0x7141001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes {JMP QWORD [RIP+0x715f001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes [0E, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7154000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes {JMP QWORD [RIP+0x7126001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetParent + 4  0000000075f52d68 2 bytes [1D, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes {JMP QWORD [RIP+0x7105001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes [1A, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes {JMP QWORD [RIP+0x7156001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes {JMP QWORD [RIP+0x7150001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes {JMP QWORD [RIP+0x715c001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes {JMP QWORD [RIP+0x714a001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes {JMP QWORD [RIP+0x710b001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes {JMP QWORD [RIP+0x7162001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes {JMP QWORD [RIP+0x7135001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes {JMP QWORD [RIP+0x713b001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes {JMP QWORD [RIP+0x7144001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes {JMP QWORD [RIP+0x7165001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes [17, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes {JMP QWORD [RIP+0x7132001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes {JMP QWORD [RIP+0x712f001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes {JMP QWORD [RIP+0x7123001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes [29, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes [2C, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes {JMP QWORD [RIP+0x7111001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes {JMP QWORD [RIP+0x7102001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes {JMP QWORD [RIP+0x7168001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes {JMP QWORD [RIP+0x716b001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes {JMP QWORD [RIP+0x713e001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes {JMP QWORD [RIP+0x7138001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes [14, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes [20, 71]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes {JMP QWORD [RIP+0x7195001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes {JMP QWORD [RIP+0x717a001e]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe[972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver  0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff844750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 6200620
.text C:\Windows\system32\svchost.exe[404] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010f50a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes JMP 8
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 6200620
.text C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000013550a0 6 bytes {JMP QWORD [RIP+0x44af90]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[1092] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000012450a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes JMP 8667938
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes JMP 8564d21
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes JMP 8d3f600
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes JMP 8c483e9
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes JMP 973af2fd
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes JMP 8c48de1
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes JMP 1b9c5d9
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes JMP b12f80
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes JMP 21b480
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes JMP 8c483e9
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes JMP e3080
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes JMP 124580
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes JMP f26bf7f7
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes JMP 36b80
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes JMP 3c80
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes JMP 3280
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes JMP 14880
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes JMP 10080
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes JMP 8b7be60
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes JMP 200054
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes JMP 8806768
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes JMP 878d281
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes JMP 86b52f9
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 4d68636d
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 13ab10
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 730079


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 3:

.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 20008
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[1124] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000012e50a0 6 bytes JMP 1005e0
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 194648
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1152] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012450a0 6 bytes {JMP QWORD [RIP+0x6af90]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver  0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff844750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 6f
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\GDI32.dll!PlgBlt  000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[1188] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 6200620
.text C:\Windows\system32\svchost.exe[1188] c:\windows\system32\SspiCli.dll!EncryptMessage 00000000014650a0 6 bytes {JMP QWORD [RIP+0x6daf90]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000010e50a0 6 bytes {JMP QWORD [RIP+0x10af90]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 6f
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\WLANExt.exe[1568] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000000da50a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\system32\conhost.exe[1576] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort  0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Windows\System32\spoolsv.exe[1640] C:\Windows\System32\SSPICLI.DLL!EncryptMessage 00000000024450a0 6 bytes {JMP QWORD [RIP+0xbaf90]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff844750 6 bytes {JMP QWORD [RIP+0x10b8e0]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA  000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 6200620
.text C:\Windows\system32\svchost.exe[1672] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011950a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1788] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes JMP 0
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 0
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x10fdd60]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x111db78]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x113a450]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x10b7cac]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x109766c]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x10d6cf4]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1174648]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe[1812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1153780]}
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4  0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 15acb
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 4:

.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\SspiCli.dll!EncryptMessage  00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!MaskBlt  000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Windows\system32\BtwRSupportService.exe[1972] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1463780]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes {JMP QWORD [RIP+0xaf420]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Program Files\Bonjour\mDNSResponder.exe[2004] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[2024] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012f50a0 6 bytes {JMP QWORD [RIP+0x4aaf90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1052] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes JMP 730065
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes JMP 770077
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes JMP 0
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes JMP 0
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes JMP 4
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes JMP 0
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 3F]
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1344] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000016050a0 6 bytes JMP 0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70e0000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70e0000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70cb000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70cb000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70d1000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70d1000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70c8000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70c8000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70d4000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70d4000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70ec000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70ec000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70e9000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70e9000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70ce000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70ce000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70bc000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70bc000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70ef000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70ef000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70dd000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70dd000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70c5000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70c5000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70bf000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70bf000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70da000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70da000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70c2000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70c2000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70d7000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70d7000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70e6000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70e6000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70e3000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70e3000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075c08791 4 bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 70f8000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 70fe000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 70fe000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7116000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 710d000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 710d000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 70f5000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 710a000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 710a000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 70fb000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7107000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7107000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7113000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7119000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7119000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7101000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 70f2000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7104000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7104000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7110000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7110000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 5:

.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken  0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[2368] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011350a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text  C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0D]
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!MaskBlt  000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe[2400] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetWinEventHook  0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA  0000000075f5835c 6 bytes JMP 716c000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Windows\SysWOW64\svchost.exe[2560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!DeleteDC  000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\lxdncoms.exe[2712] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 15acb
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA  000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\System32\svchost.exe[2744] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 6200620
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\System32\svchost.exe[2824] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 6200620
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2844] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1463780]}


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 6:

.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4  0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\ADVAPI32.DLL!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\ADVAPI32.DLL!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe[2960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4  0000000077bafcb4 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70ca000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70ca000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\kernel32.dll!CreateProcessA  0000000075c01072 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71a90000
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7106000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7124000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7103000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7118000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7118000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7130000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7121000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 712a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 712a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7100000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7112000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7112000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe[3020] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[3184] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012550a0 6 bytes {JMP QWORD [RIP+0x9af90]}
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendMessageA  0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 7:

.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\StrongVPN\StrongService.exe[3204] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes JMP eb735311
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes JMP 21fe9
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes JMP 734311c2
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!DeleteDC  000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 502b0a06
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\System32\svchost.exe[3324] C:\Windows\System32\SspiCli.dll!EncryptMessage 00000000013550a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0x135940]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes {JMP QWORD [RIP+0x12f420]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3348] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011250a0 6 bytes {JMP QWORD [RIP+0x45af90]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd5c50a0 6 bytes {JMP QWORD [RIP+0x6af90]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 4c8d4800
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 14621e8 C:\Program Files\Common Files\Intel\WirelessCommon\Libeay32.dll
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0x135940]}
.text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[3420] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 1
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3452] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70e4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70e4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70cf000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70cf000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70d5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70d5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70cc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70cc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70d8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70d8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70f0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70f0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70ed000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70ed000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70d2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70d2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70c0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70c0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70f3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70f3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70e1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70e1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70c9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70c9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70c3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70c3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70de000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70de000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70c6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70c6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70db000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70db000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70ea000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 0000000077bb212d
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70e7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70e7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\kernel32.dll!CreateProcessW  0000000075c0103d 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71a90000
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 70fc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7102000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7102000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 711a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7111000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7111000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 70f9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 710e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 710e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 70ff000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7129000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 712f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA  0000000075f5835c 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 710b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 710b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7126000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7123000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7117000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 711d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 711d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7120000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7120000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7105000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 70f6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 712c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7108000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7108000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7114000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7114000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe[3516] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4  0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW  0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 8:

.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA  0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe[3640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ...  * 2
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 15acb
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes {JMP QWORD [RIP+0xaf420]}
.text C:\Windows\system32\taskhost.exe[3764] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000045e50a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes JMP 0
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 2e352e32
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!GetPixel  000007fefdff933c 6 bytes JMP 0
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP aab
.text C:\Windows\system32\Dwm.exe[3816] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes JMP 20005
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 61006b00
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes JMP 0
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x13aa450]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x13e4648]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x13c3780]}
.text C:\Windows\Explorer.EXE[3848] C:\Windows\system32\SSPICLI.DLL!EncryptMessage  000007fefd5c50a0 6 bytes JMP 9b3
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\taskeng.exe[3924] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000011650a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters  000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 10004009
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 0
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 2bc5
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 1407
.text C:\Windows\system32\taskeng.exe[3992] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024a50a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread  0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!CreateDCA  000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Windows\system32\taskeng.exe[4044] C:\Windows\system32\SspiCli.dll!EncryptMessage 00000000024250a0 6 bytes {JMP QWORD [RIP+0x17af90]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x10fdd60]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x111db78]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x113a450]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x10b7cac]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x109766c]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x10d6cf4]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1174648]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1153780]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0x135940]}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP 2127f60
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4296] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 0000000003cd50a0 6 bytes {JMP QWORD [RIP+0x8af90]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort  0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4308] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1463780]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 200b807
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Windows\System32\igfxtray.exe[4316] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Dell\QuickSet\quickset.exe[4412] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1463780]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 9:

.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1463780]}
.text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[4432] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 000007fefd5c50a0 6 bytes {JMP QWORD [RIP+0x6af90]}
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!BitBlt  00000000765d5ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710f000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710f000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7127000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7106000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7118000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7118000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7130000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7124000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 712a000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 712a000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 712d000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 712d000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7103000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes JMP 9a9
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes JMP c75fd1e4
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe[4540] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters  000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 0
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 6f
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[4676] C:\Windows\system32\SspiCli.dll!EncryptMessage 000007fefd5c50a0 6 bytes {JMP QWORD [RIP+0xcaf90]}
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70e9000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70e9000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70d4000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70d4000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70da000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70da000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d1000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d1000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70dd000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70dd000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70f5000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70f5000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f2000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f2000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70d7000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70d7000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70c5000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70c5000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70f8000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70f8000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70e6000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70e6000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70ce000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70ce000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70c8000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70c8000a
.text  C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e3000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e3000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70cb000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70cb000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e0000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e0000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70ef000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70ef000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70ec000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70ec000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716f000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7175000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7172000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714e000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7101000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7148000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7142000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7160000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7107000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7107000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7154000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 711f000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7116000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7116000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 70fe000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7113000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7113000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7157000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7151000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715d000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 714b000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7104000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7163000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW  0000000075f57668 6 bytes JMP 712e000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713c000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7145000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7166000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7110000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7110000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 712b000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7128000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 711c000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7122000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7122000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7125000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7125000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 710a000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 70fb000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7169000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716c000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713f000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7131000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 710d000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 710d000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7119000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7119000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717b000a
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes [F6, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes [E1, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes [E7, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes [DE, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes [EA, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes [02, 71]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes [E4, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes [D2, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes [F3, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes [DB, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes [D5, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes [F0, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes [D8, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes [ED, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes [FC, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes [F9, 70]
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[5084] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes {JMP QWORD [RIP+0x718f001e]}
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70ed000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70ed000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70d8000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70d8000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70de000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70de000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d5000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d5000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e1000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e1000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70f9000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70f9000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f6000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f6000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70db000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70db000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70c9000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70c9000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70fc000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70fc000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ea000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 00000000cc48d00d
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d2000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d2000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70cc000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70cc000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e7000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e7000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70cf000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70cf000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e4000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e4000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f3000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f3000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f0000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f0000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\kernel32.dll!CreateProcessW  0000000075c0103d 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71a90000
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7156000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714a000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7105000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7144000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 713e000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 715c000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710b000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710b000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7150000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7123000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 711a000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 711a000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7102000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7117000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7117000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7153000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 714d000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7159000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7147000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7108000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 715f000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7132000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7138000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7141000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7162000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7114000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7114000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 712f000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 712c000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7120000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7126000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7126000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7129000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7129000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 710e000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 70ff000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7165000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7168000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713b000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7135000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7111000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7111000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 711d000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 711d000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7174000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716b000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7171000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 716e000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7177000a
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe[5108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 10:

.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\kernel32.dll!CreateProcessW  00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x140dd60]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x142db78]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x144a450]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x13c7cac]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x13a766c]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x13e6cf4]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x1484648]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x1463780]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[4116] C:\Windows\system32\SspiCli.dll!EncryptMessage 0000000002eb50a0 6 bytes {JMP QWORD [RIP+0x7af90]}
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 1000100
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCW  000007fefdff8384 6 bytes JMP 3ed4
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Windows\system32\wbem\unsecapp.exe[3280] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f3000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f3000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70de000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70de000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e4000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e4000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70db000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70db000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e7000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e7000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70ff000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70ff000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70fc000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70fc000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e1000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e1000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70cf000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70cf000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7102000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7102000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f0000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f0000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d8000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d8000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d2000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d2000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70ed000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70ed000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d5000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d5000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ea000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 00000000cc48e55d
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f9000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f9000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f6000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f6000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a5000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 7199000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7196000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 718d000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719c000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71a90000
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\SSPICLI.DLL!EncryptMessage 00000000755e124e 6 bytes JMP 717e000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7193000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7190000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715c000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7150000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710b000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714a000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW  0000000075f497d2 6 bytes JMP 7144000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7162000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7111000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7111000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7156000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7129000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7120000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7120000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7108000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 711d000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 711d000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7159000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7153000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715f000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 714d000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 710e000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7165000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7138000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713e000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7147000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7168000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711a000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711a000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7135000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7132000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7126000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 712c000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 712c000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 712f000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 712f000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7114000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7105000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716b000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716e000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7141000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713b000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7117000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7117000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7123000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7123000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7181000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717b000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718a000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7171000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7177000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7184000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 7187000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7174000a
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[4360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 0
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 0
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Windows\system32\wbem\wmiprvse.exe[4672] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000017b50a0 6 bytes JMP 0
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70bb000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70bb000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70c1000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70c1000a
.text  C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70b8000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70b8000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70c4000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70c4000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70be000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70be000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70ac000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70ac000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70b5000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70b5000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70af000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70af000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70ca000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70ca000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70b2000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70b2000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70c7000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70c7000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowLongW  0000000075f48332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 70e8000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7127000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7121000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7106000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 70e5000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7130000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 70eb000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7115000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 711b000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7124000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7103000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7109000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7109000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 70f1000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 70e2000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 711e000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Password Safe\pwsafe.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation  0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes {JMP QWORD [RIP+0x87af9e0]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes JMP 21db78
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x13aa450]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes JMP 0
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 0
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes JMP 720050 C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x13e4648]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5148] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x13c3780]}
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess  0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA  00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5280] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f1000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f1000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70dc000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70dc000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e2000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e2000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d9000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d9000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e5000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e5000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70fd000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4  0000000077bb0008 2 bytes JMP 70fd000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70fa000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70fa000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70df000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70df000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70cd000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70cd000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 11:

.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7100000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7100000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ee000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4  0000000077bb0698 2 bytes JMP 70ee000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d6000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d6000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d0000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d0000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70eb000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70eb000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d3000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d3000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e8000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e8000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f7000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f7000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f4000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f4000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715a000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714e000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7109000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7148000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7142000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7160000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710f000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710f000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7154000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7127000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 711e000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 711e000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7106000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 711b000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 711b000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7157000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7151000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715d000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 714b000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 710c000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7163000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7136000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713c000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7145000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7166000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7118000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7118000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7133000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7130000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7124000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 712a000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 712a000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 712d000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 712d000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7112000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7103000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7169000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716c000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713f000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7139000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7115000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7115000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7121000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7121000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7178000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716f000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7175000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7172000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\SspiCli.dll!EncryptMessage  00000000755e124e 6 bytes JMP 717b000a
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe[5308] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7127000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7106000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendMessageA  0000000075f5612e 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713c000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 12:

.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7118000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7118000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7130000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7124000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 712a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 712a000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 712d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 712d000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7103000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe[5664] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!MoveWindow  0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[5828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x274648]}
.text C:\Windows\system32\wbem\unsecapp.exe[5896] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x253780]}
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70bb000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70bb000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70c1000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70c1000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken  0000000077bafec0 3 bytes JMP 70b8000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70b8000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70c4000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70c4000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70be000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70be000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70ac000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70ac000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70cd000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70cd000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70b5000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70b5000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70af000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70af000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70ca000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70ca000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70b2000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70b2000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70c7000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70c7000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe[6012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4  0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 13:

.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\iTunes\iTunesHelper.exe[6060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes JMP 0
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes JMP 0
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters  000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x23a450]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP ac4aac24
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 740069
.text C:\Windows\system32\SearchIndexer.exe[2668] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012850a0 6 bytes {JMP QWORD [RIP+0xfaf90]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x173780]}
.text C:\Windows\system32\svchost.exe[6740] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000011650a0 6 bytes {JMP QWORD [RIP+0x10af90]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort  0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 0A]
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0E]
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 274600
.text C:\Program Files\iPod\bin\iPodService.exe[6812] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll  00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Windows\system32\svchost.exe[6848] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000012250a0 6 bytes {JMP QWORD [RIP+0x3eaf90]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x12a450]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x8766c]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007fefdbea6f0 6 bytes {JMP QWORD [RIP+0xb5940]}
.text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[7092] C:\Windows\system32\ADVAPI32.dll!CreateProcessWithLogonW 000007fefdc10c10 6 bytes {JMP QWORD [RIP+0xaf420]}
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70ef000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70ef000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70da000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70da000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e0000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e0000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70fb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70fb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70dd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70dd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70cb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70cb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70fe000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70fe000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ec000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70ec000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70ce000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70ce000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4  0000000077bb1cb8 2 bytes JMP 70f5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71a90000
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7107000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7104000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 710a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7101000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 14:

.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d0000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d0000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation  0000000077bb1be4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a5000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71a90000
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7112000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7133000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7127000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 712d000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7115000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7106000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7118000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493  0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendInput + 4  0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\StrongVPN\StrongDial.exe[6712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes JMP 0
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort  0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 00000000778998e0 6 bytes {JMP QWORD [RIP+0x8806750]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\kernel32.dll!CreateProcessW 00000000778b0650 6 bytes JMP 0
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\kernel32.dll!CreateProcessA 000000007792acf0 6 bytes {JMP QWORD [RIP+0x8755340]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0D]
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0xedd60]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x10db78]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 25c890f
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0xa7cac]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes JMP 6f
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!GetPixel  000007fefdff933c 6 bytes {JMP QWORD [RIP+0xc6cf4]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x194648]}
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP a618a610
.text C:\Program Files\Internet Explorer\iexplore.exe[7608] C:\Windows\system32\SSPICLI.DLL!EncryptMessage 00000000034150a0 6 bytes {JMP QWORD [RIP+0x1eaf90]}
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70ed000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70ed000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70d8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70d8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70de000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70de000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d5000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 15:

.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d5000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e1000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e1000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70f9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70f9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f6000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f6000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70db000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70db000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70c9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70c9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70fc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70fc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ea000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 00000000cc48d00d
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d2000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d2000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70cc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70cc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e7000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e7000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70cf000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70cf000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e4000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e4000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f3000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f3000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f0000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f0000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll  0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\advapi32.DLL!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\advapi32.DLL!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7105000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!GetKeyState 0000000075f5291f 6 bytes JMP 7123000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetParent 0000000075f52d64 3 bytes JMP 711a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetParent + 4 0000000075f52d68 2 bytes JMP 711a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000075f52da4 6 bytes JMP 7102000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000075f53698 3 bytes JMP 7117000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7117000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7108000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7114000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7114000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 712f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 712c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7120000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7126000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7126000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendInput 0000000075f6ff4a 3 bytes JMP 7129000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7129000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000075f89f1d 6 bytes JMP 710e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 0000000075f91497 6 bytes JMP 70ff000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!BlockInput 0000000075fa7dd7 3 bytes JMP 7111000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7111000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 711d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 711d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl  0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text  C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe[1684] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 9000027
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe[7672] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 16:

.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort  0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE[9032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70ed000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70ed000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70d8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70d8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70de000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70de000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d5000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d5000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e1000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e1000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70f9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70f9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f6000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f6000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70db000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70db000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70c9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70c9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70fc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70fc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ea000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 00000000cc48d00d
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d2000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d2000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70cc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70cc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e7000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e7000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70cf000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70cf000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e4000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e4000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f3000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f3000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl  0000000077bb1d8c 3 bytes JMP 70f0000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f0000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\advapi32.DLL!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\advapi32.DLL!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7105000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!GetKeyState 0000000075f5291f 6 bytes JMP 7123000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetParent 0000000075f52d64 3 bytes JMP 711a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetParent + 4 0000000075f52d68 2 bytes JMP 711a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000075f52da4 6 bytes JMP 7102000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000075f53698 3 bytes JMP 7117000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7117000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7108000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7114000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7114000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 712f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 712c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7120000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7126000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7126000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendInput 0000000075f6ff4a 3 bytes JMP 7129000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7129000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000075f89f1d 6 bytes JMP 710e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!ExitWindowsEx 0000000075f91497 6 bytes JMP 70ff000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!BlockInput 0000000075fa7dd7 3 bytes JMP 7111000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7111000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 711d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 711d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4924] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes [B5, 6F, 06]
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes {JMP QWORD [RIP+0x109a450]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes {JMP QWORD [RIP+0x10d4648]}
.text C:\Windows\System32\MsSpellCheckingFacility.exe[8432] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes {JMP QWORD [RIP+0x10b3780]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000779d3b10 6 bytes {JMP QWORD [RIP+0x866c520]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a013a0 6 bytes {JMP QWORD [RIP+0x861ec90]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a01570 6 bytes {JMP QWORD [RIP+0x8bdeac0]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a015e0 6 bytes {JMP QWORD [RIP+0x8cbea50]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a01620 6 bytes {JMP QWORD [RIP+0x8c7ea10]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a016c0 6 bytes {JMP QWORD [RIP+0x8cde970]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a01750 6 bytes {JMP QWORD [RIP+0x8c5e8e0]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a01790 6 bytes {JMP QWORD [RIP+0x8b5e8a0]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a017e0 6 bytes {JMP QWORD [RIP+0x8b7e850]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a01800 6 bytes {JMP QWORD [RIP+0x8c9e830]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a019f0 6 bytes {JMP QWORD [RIP+0x8d5e640]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a01b00 6 bytes {JMP QWORD [RIP+0x8b3e530]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a01bd0 6 bytes {JMP QWORD [RIP+0x8bfe460]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a01d20 6 bytes {JMP QWORD [RIP+0x8cfe310]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a01d30 6 bytes {JMP QWORD [RIP+0x8d3e300]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a020a0 6 bytes {JMP QWORD [RIP+0x8c1df90]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a02130 6 bytes {JMP QWORD [RIP+0x8d1df00]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a029a0 6 bytes {JMP QWORD [RIP+0x8c3d690]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a02a20 6 bytes {JMP QWORD [RIP+0x8b9d610]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a02aa0 6 bytes {JMP QWORD [RIP+0x8bbd590]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefd919055 3 bytes CALL 79000026
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefd9253c0 5 bytes [FF, 25, 70, AC, 0A]
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefdff22d0 6 bytes {JMP QWORD [RIP+0x1fdd60]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!BitBlt 000007fefdff24b8 6 bytes {JMP QWORD [RIP+0x21db78]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!MaskBlt 000007fefdff5be0 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefdff8384 6 bytes {JMP QWORD [RIP+0x1b7cac]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefdff89c4 6 bytes {JMP QWORD [RIP+0x19766c]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!GetPixel 000007fefdff933c 6 bytes {JMP QWORD [RIP+0x1d6cf4]}
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!StretchBlt 000007fefdffb9e8 6 bytes JMP 0
.text C:\Windows\system32\taskhost.exe[5072] C:\Windows\system32\GDI32.dll!PlgBlt 000007fefdffc8b0 6 bytes JMP 0
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll  0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!MoveWindow  0000000075f53698 3 bytes JMP 7121000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 17:

.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW  0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!StretchBlt  00000000765db895 6 bytes JMP 7175000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Users\Carl\Desktop\HijackThis.exe[2520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2
? C:\Windows\system32\mssprxy.dll [2520] entry point in ".rdata" section 000000005cab71e6
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70ed000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70ed000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70d8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70d8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70de000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70de000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70d5000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70d5000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70e1000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70e1000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 70f9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 70f9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 70f6000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 70f6000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70db000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70db000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70c9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70c9000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 70fc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 70fc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70ea000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 00000000cc48d00d
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70d2000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70d2000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70cc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70cc000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70e7000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70e7000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70cf000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70cf000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70e4000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70e4000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70f3000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70f3000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70f0000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70f0000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\advapi32.DLL!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text  C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\advapi32.DLL!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 7105000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!RegisterHotKey 0000000075f4efc9 3 bytes JMP 710b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 710b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!GetKeyState 0000000075f5291f 6 bytes JMP 7123000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetParent 0000000075f52d64 3 bytes JMP 711a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetParent + 4 0000000075f52d68 2 bytes JMP 711a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!EnableWindow 0000000075f52da4 6 bytes JMP 7102000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!MoveWindow 0000000075f53698 3 bytes JMP 7117000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7117000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7108000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 7114000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 7114000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 712f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 712c000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 7120000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7126000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7126000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendInput 0000000075f6ff4a 3 bytes JMP 7129000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7129000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!GetClipboardData 0000000075f89f1d 6 bytes JMP 710e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!ExitWindowsEx  0000000075f91497 6 bytes JMP 70ff000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!BlockInput 0000000075fa7dd7 3 bytes JMP 7111000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 7111000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 711d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\user32.DLL!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 711d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[8392] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ...  * 2
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077baf9e0 3 bytes JMP 71af000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077baf9e4 2 bytes JMP 71af000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077bafcb0 3 bytes JMP 70f7000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077bafcb4 2 bytes JMP 70f7000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077bafd64 3 bytes JMP 70e2000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077bafd68 2 bytes JMP 70e2000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077bafdc8 3 bytes JMP 70e8000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077bafdcc 2 bytes JMP 70e8000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077bafec0 3 bytes JMP 70df000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077bafec4 2 bytes JMP 70df000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077baffa4 3 bytes JMP 70eb000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077baffa8 2 bytes JMP 70eb000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077bb0004 3 bytes JMP 7103000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077bb0008 2 bytes JMP 7103000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077bb0084 3 bytes JMP 7100000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077bb0088 2 bytes JMP 7100000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077bb00b4 3 bytes JMP 70e5000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077bb00b8 2 bytes JMP 70e5000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077bb03b8 3 bytes JMP 70d3000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077bb03bc 2 bytes JMP 70d3000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077bb0550 3 bytes JMP 7106000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077bb0554 2 bytes JMP 7106000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077bb0694 3 bytes JMP 70f4000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077bb0698 2 bytes JMP 70f4000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077bb088c 3 bytes JMP 70dc000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077bb0890 2 bytes JMP 70dc000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077bb08a4 3 bytes JMP 70d6000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077bb08a8 2 bytes JMP 70d6000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077bb0df4 3 bytes JMP 70f1000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077bb0df8 2 bytes JMP 70f1000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077bb0ed8 3 bytes JMP 70d9000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077bb0edc 2 bytes JMP 70d9000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077bb1be4 3 bytes JMP 70ee000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077bb1be8 2 bytes JMP 70ee000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077bb1cb4 3 bytes JMP 70fd000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077bb1cb8 2 bytes JMP 70fd000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077bb1d8c 3 bytes JMP 70fa000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077bb1d90 2 bytes JMP 70fa000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077bd1287 6 bytes JMP 71a8000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000075c0103d 6 bytes JMP 719c000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075c01072 6 bytes JMP 7199000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000075c2c9b5 6 bytes JMP 7190000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 0000000075a2f784 6 bytes JMP 719f000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075a32c9e 4 bytes CALL 71ac0000
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetWindowLongW 0000000075f48332 6 bytes JMP 7160000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075f48bff 6 bytes JMP 7154000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075f490d3 6 bytes JMP 710f000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075f49679 6 bytes JMP 714e000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075f497d2 6 bytes JMP 7148000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f4ee09 6 bytes JMP 7166000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075f4efc9 3 bytes JMP 7115000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075f4efcd 2 bytes JMP 7115000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075f512a5 6 bytes JMP 715a000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075f5291f 6 bytes JMP 712d000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetParent 0000000075f52d64 3 bytes JMP 7124000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075f52d68 2 bytes JMP 7124000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075f52da4 6 bytes JMP 710c000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075f53698 3 bytes JMP 7121000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075f5369c 2 bytes JMP 7121000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075f53baa 6 bytes JMP 715d000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075f53c61 6 bytes JMP 7157000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetWindowLongA 0000000075f56110 6 bytes JMP 7163000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075f5612e 6 bytes JMP 7151000a


----------



## referee07 (Sep 11, 2003)

GMER Scan; Page 18:

.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075f56c30 6 bytes JMP 7112000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f57603 6 bytes JMP 7169000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075f57668 6 bytes JMP 713c000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075f576e0 6 bytes JMP 7142000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075f5781f 6 bytes JMP 714b000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f5835c 6 bytes JMP 716c000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075f5c4b6 3 bytes JMP 711e000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075f5c4ba 2 bytes JMP 711e000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075f6c112 6 bytes JMP 7139000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075f6d0f5 6 bytes JMP 7136000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075f6eb96 6 bytes JMP 712a000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075f6ec68 3 bytes JMP 7130000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075f6ec6c 2 bytes JMP 7130000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendInput 0000000075f6ff4a 3 bytes JMP 7133000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075f6ff4e 2 bytes JMP 7133000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075f89f1d 6 bytes JMP 7118000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075f91497 6 bytes JMP 7109000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075fa027b 6 bytes JMP 716f000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075fa02bf 6 bytes JMP 7172000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075fa6cfc 6 bytes JMP 7145000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075fa6d5d 6 bytes JMP 713f000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075fa7dd7 3 bytes JMP 711b000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075fa7ddb 2 bytes JMP 711b000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075fa88eb 3 bytes JMP 7127000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075fa88ef 2 bytes JMP 7127000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000765d58b3 6 bytes JMP 7184000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!BitBlt 00000000765d5ea6 6 bytes JMP 717e000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!CreateDCA 00000000765d7bcc 6 bytes JMP 718d000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!StretchBlt 00000000765db895 6 bytes JMP 7175000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!MaskBlt 00000000765dc332 6 bytes JMP 717b000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!GetPixel 00000000765dcbfb 6 bytes JMP 7187000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!CreateDCW 00000000765de743 6 bytes JMP 718a000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\GDI32.dll!PlgBlt 000000007660480f 6 bytes JMP 7178000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 00000000776a2642 6 bytes JMP 7196000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessWithLogonW 00000000776a5429 6 bytes JMP 7193000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000755e124e 6 bytes JMP 7181000a
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075931465 2 bytes [93, 75]
.text C:\Users\Carl\Desktop\f6p7s1lr.exe[6096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000759314bb 2 bytes [93, 75]
.text ... * 2

---- Threads - GMER 2.1 ----

Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1376:5868] 000007fef4473e0c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1376:6608] 000007feec8a838c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1376:7644] 000007fef4473e0c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1376:600] 000007fef166c680
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1376:8036] 000007fef4473e0c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [3796:6128] 000007fef4473e0c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [3796:8152] 000007fef4473e0c
Thread c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [3796:8008]  000007fef166c680

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\889ffab2548c 
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x2E 0x61 0x3D 0xB1 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x86 0xFB 0xC2 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x44 0xC7 0x4C 0x1E ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\[email protected] 0x8D 0x67 0x7B 0xD7 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\[email protected] 69372
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\[email protected] 13868
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0}@LeaseObtainedTime 1402183471
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0}@T1 1402185271
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0}@T2 1402186621
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0}@LeaseTerminatesTime 1402187071
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\889ffab2548c (not active ControlSet) 
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x2E 0x61 0x3D 0xB1 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x86 0xFB 0xC2 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x44 0xC7 0x4C 0x1E ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[email protected] 0x8D 0x67 0x7B 0xD7 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\Software\COMODO\[email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKLM\SYSTEM\Software\COMODO\Firewall [email protected] 0x5C 0x00 0x52 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA} 
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA}@pafkmehmkdelemggbhfhgjapmlnhikgh 0x6A 0x61 0x69 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA}@oaljfaiaepegjnjbecnjoalgpbejho 0x6A 0x61 0x69 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD} 
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD}@oaldbhnlbajenibdaggbjkedjdfoll 0x6A 0x61 0x67 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD}@pajgppcmeiofjeglegmkcdcpdeeadlnn 0x69 0x61 0x65 0x67 ...

---- EOF - GMER 2.1 ----


----------



## referee07 (Sep 11, 2003)

Can anyone help me with this? Any and all ideas/suggestions will be appreciated.


----------



## referee07 (Sep 11, 2003)

Why haven't any of he virus gurus responded to my post? Cookiegal?


----------



## referee07 (Sep 11, 2003)

Still no replies. Cookiegal, any suggestions/advise?


----------



## eddie5659 (Mar 19, 2001)

Hiya

Are you still having this problem? If so, very sory for the delay, lets get started on this now 

Firstly, can you go to the Control Panel, and uninstall these via Programs and Features:
*
Advanced SystemCare 7
IObit Uninstaller*

Then, can you run the following tools for me, and we'll go from there:

Download *Security Check* from *here*.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called *checkup.txt*; please post the contents of that document.

----

*(Vista or Win 7 => right click and Run As Administrator)*


Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Standard Output*.
At the top, check the box entitled *Scan All Users*
Toward the bottom, check:
*All Users*
*LOP Check*
*Purity Check*
Under the *Standard Registry* box change it to *All*
*Do not change any settings unless otherwise told to do so. *
Please copy the text in the code box below and paste it in the *Custom Scans/Fixes* box in OTL:


```
DRIVES
netsvcs
activex
msconfig
drivers32
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%windir%\Installer\*.*
%windir%\system32\tasks\*.*
%windir%\system32\tasks\*.* /64
%systemroot%\Fonts\*.exe
%systemroot%\*. /mp /s
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
consrv.dll
explorer.exe
winlogon.exe
regedit.exe
Userinit.exe
svchost.exe
services.exe
user32.dll
atapi.sys
csrss.exe
PRINTISOLATIONHOST.EXE
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
%systemroot%\system32\drivers\*.sys /lockedfiles
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\* \s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
```

Click the *Run Scan* button. The scan wont take long.
A black box will appear, this is part of the custom scan, so don't be alarmed 
*IF OTL SAYS 'NOT RESPONDING' DON'T USE THE MOUSE. IT WILL CARRY ON SCANNING AFTER A FEW MINUTES*

When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.

Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time and post them in your topic


Regards

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks for the reply.

The results of the Security Check are shown below.

I did not see:

•When the window appears, underneath Output at the top change it to Standard Output.
•At the top, check the box entitled Scan All Users
•Toward the bottom, check:
All Users
LOP Check
Purity Check
•Under the Standard Registry box change it to All

When the Security Check program was running. I ran to the end and then the text box appeared. Also, is Malwarebytes known for causing problems? Thanks again for the help with this.

Results of screen317's Security Check version 0.99.85 
Windows 7 Service Pack 1 x64 (UAC is enabled) 
Internet Explorer 11 
*``````````````Antivirus/Firewall Check:``````````````* 
Windows Firewall Disabled! 
ESET NOD32 Antivirus 7.0 
Antivirus up to date! 
*`````````Anti-malware/Other Utilities Check:`````````* 
SpywareBlaster 5.0 
Spybot - Search & Destroy 
Java 7 Update 51 
*Java version out of Date!* 
Adobe Reader XI 
*````````Process Check: objlist.exe by Laurent````````* 
ESET NOD32 Antivirus egui.exe 
ESET NOD32 Antivirus ekrn.exe 
*Spybot Teatimer.exe is disabled!* 
Comodo Firewall cmdagent.exe 
*`````````````````System Health check`````````````````* 
Total Fragmentation on Drive C: 0% 
*````````````````````End of Log``````````````````````*


----------



## eddie5659 (Mar 19, 2001)

Thanks for the log. I just looked at my reply, and see a chunk has been missed at the beginning, as it was a different tool 

I'll repost that in this reply, sorry.

Malwarebytes isn't known to cause any problems, but I tend to just use the free version

-------------

Your Java is out of date, so lets do that next:

*Upgrade Java* : (32 bits)

Download the latest version of *Java SE Runtime Environment (JRE) JRE 7 Update 60 *.
Under the JAVA Platform Standard Edition, click the "*Download JRE*" button to the right.










*Accept License Agreement.*".
Click on the link to download Windows Offline Installation 32 bit ( jre-7u60-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the * jre-7u60-windows-i586.exe* and select "Run as an Administrator.")
Don't install any of the toolbars that are offered.

After doing the above, for the remains of the Java, can you do this:

Open Java in the Control Panel and under the General tab, under Temporary Internet Files, click the Settings button. Then click on Delete Files.

Make sure both of these options are checked:


Applications and Applets
Trace and Log Files
OK out of all the screens. 

==========================

Download *OTL* to your Desktop

*(Vista or Win 7 => right click and Run As Administrator)*


Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Standard Output*.
At the top, check the box entitled *Scan All Users*
Toward the bottom, check:
*All Users*
*LOP Check*
*Purity Check*
Under the *Standard Registry* box change it to *All*
*Do not change any settings unless otherwise told to do so. *
Please copy the text in the code box below and paste it in the *Custom Scans/Fixes* box in OTL:


```
DRIVES
netsvcs
activex
msconfig
drivers32
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
safebootminimal
safebootnetwork
%SYSTEMDRIVE%\*.*
%PROGRAMFILES%\*.exe
%LOCALAPPDATA%\*.exe
%windir%\Installer\*.*
%windir%\system32\tasks\*.*
%windir%\system32\tasks\*.* /64
%systemroot%\Fonts\*.exe
%systemroot%\*. /mp /s
/md5start
pnrpnsp.dll
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
consrv.dll
explorer.exe
winlogon.exe
regedit.exe
Userinit.exe
svchost.exe
services.exe
user32.dll
atapi.sys
csrss.exe
PRINTISOLATIONHOST.EXE
/md5stop
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
%systemroot%\system32\drivers\*.sys /lockedfiles
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\* \s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT
```

Click the *Run Scan* button. The scan wont take long.
A black box will appear, this is part of the custom scan, so don't be alarmed 
*IF OTL SAYS 'NOT RESPONDING' DON'T USE THE MOUSE. IT WILL CARRY ON SCANNING AFTER A FEW MINUTES*

When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.

Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time and post them in your topic


Thanks

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for your reply. It is 2226 here and, I am going to call it quits for the night. But, tomorrow evening I will run the Java update and will download and run the OTL program and post the results. (BTW, my computer is a 64bit computer; do I need to download the 32bit Java program?) Thanks again for your help.


----------



## eddie5659 (Mar 19, 2001)

Thats fine, its only just turning 4pm here.

Nope, install the 32 bit version of Java. Some programs don't work with 64bit, but all will work with the 32


----------



## referee07 (Sep 11, 2003)

eddie5659, I went to the Oracle site and clicked on the "JRE Download" button, but "jre-7u60-windows-i586.exe" was not listed. This is what was listed: 

Linux x86 40.27 MB jre-8u5-linux-i586.rpm 
Linux x86 55.46 MB jre-8u5-linux-i586.tar.gz 
Linux x64 40.4 MB jre-8u5-linux-x64.rpm 
Linux x64 54.41 MB jre-8u5-linux-x64.tar.gz 
Mac OS X x64 56.61 MB jre-8u5-macosx-x64.dmg 
Mac OS X x64 52.61 MB jre-8u5-macosx-x64.tar.gz 
Solaris SPARC 64-bit 50.32 MB jre-8u5-solaris-sparcv9.tar.gz 
Solaris x64 47.99 MB jre-8u5-solaris-x64.tar.gz 
Windows x86 Online 1.53 MB jre-8u5-windows-i586-iftw.exe 
Windows x86 Offline 29.67 MB jre-8u5-windows-i586.exe 
Windows x86 45.87 MB jre-8u5-windows-i586.tar.gz 
Windows x64 32.55 MB jre-8u5-windows-x64.exe 
Windows x64 48.87 MB jre-8u5-windows-x64.tar.gz 

Was I at the correct place? Thanks again for the help.


----------



## eddie5659 (Mar 19, 2001)

Yep, correct site, but there are two versions of Java at the website: Version 8 and 7.

Normally I install 8, but there may not be some programs/websites that use this version, as its only just come out. If you scroll down at this page:

http://www.oracle.com/technetwork/java/javase/downloads/index.html

you will see this:



The, click on the same JRE button for the version 7 and select the Windows x86 Offline option (can't show in screenshot, but its below the arrow  )


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for the reply. Do I choose: 

Windows x86 Online 0.88 MB jre-7u60-windows-i586-iftw.exe

or 

Windows x86 Offline 28.04 MB jre-7u60-windows-i586.exe

Thanks again.


Linux x86 31.55 MB jre-7u60-linux-i586.rpm 
Linux x86 46.18 MB jre-7u60-linux-i586.tar.gz 
Linux x64 32.06 MB jre-7u60-linux-x64.rpm 
Linux x64 44.81 MB jre-7u60-linux-x64.tar.gz 
Mac OS X x64 48.52 MB jre-7u60-macosx-x64.dmg 
Mac OS X x64 44.5 MB jre-7u60-macosx-x64.tar.gz 
Solaris x86 52.17 MB jre-7u60-solaris-i586.tar.gz 
Solaris x64 16.12 MB jre-7u60-solaris-x64.tar.gz 
Solaris SPARC 54.92 MB jre-7u60-solaris-sparc.tar.gz 
Solaris SPARC 64-bit 18.16 MB jre-7u60-solaris-sparcv9.tar.gz 
Windows x86 Online 0.88 MB jre-7u60-windows-i586-iftw.exe 
Windows x86 Offline 28.04 MB jre-7u60-windows-i586.exe 
Windows x86 39.94 MB jre-7u60-windows-i586.tar.gz 
Windows x64 29.55 MB jre-7u60-windows-x64.exe 
Windows x64 41.64 MB jre-7u60-windows-x64.tar.gz


----------



## eddie5659 (Mar 19, 2001)

Windows x86 Offline 28.04 MB jre-7u60-windows-i586.exe

Then, once its downloaded, install as you normally do by double-clicking on it. Then, when its done, for the remains of the Java, you can do this:

Open Java in the Control Panel and under the General tab, under Temporary Internet Files, click the Settings button. Then click on Delete Files.

Make sure both of these options are checked:


Applications and Applets
Trace and Log Files
OK out of all the screens.


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for the reply. I was able to update Java and please see the next several posts for the results of the OTL scan. I am still wondering if my computer has malware (I still can't run Malwarebytes.), and sometimes the cursor seems to be slow to respond and then moves quickly.

OTL logfile created on: 6/25/2014 10:30:35 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Carl\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17126)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.80 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 32.81% Memory free
7.60 Gb Paging File | 4.57 Gb Available in Paging File | 60.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 184.07 Gb Free Space | 40.81% Space Free | Partition Type: NTFS

Computer Name: DELLNOTEBOOK | User Name: Carl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/06/25 22:25:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe
PRC - [2014/06/19 20:02:49 | 018,935,976 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
PRC - [2014/05/25 19:22:49 | 000,109,784 | ---- | M] (Siber Systems) -- C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2014/05/21 19:22:08 | 002,135,232 | ---- | M] () -- C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
PRC - [2014/05/08 22:48:38 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2014/05/06 18:23:52 | 000,781,600 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\Monitor.exe
PRC - [2014/04/29 18:22:01 | 000,097,776 | ---- | M] (Black Oak Computers, Inc.) -- C:\Program Files (x86)\StrongVPN\StrongService.exe
PRC - [2014/04/21 18:05:56 | 002,295,584 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe
PRC - [2014/03/28 20:09:32 | 000,309,704 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2014/02/07 17:06:44 | 004,425,728 | ---- | M] (SourceForge.net) -- C:\Program Files (x86)\Password Safe\pwsafe.exe
PRC - [2014/01/14 14:50:06 | 000,881,952 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
PRC - [2013/10/13 12:19:08 | 003,783,672 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2013/09/12 12:06:22 | 001,337,752 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
PRC - [2013/07/25 17:47:00 | 001,985,824 | ---- | M] (Wondershare) -- C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
PRC - [2013/05/16 10:59:00 | 003,830,224 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
PRC - [2013/05/16 10:56:30 | 001,817,560 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2013/05/15 13:21:32 | 000,171,928 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2013/03/27 22:33:02 | 006,365,920 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2013/03/20 19:28:20 | 007,084,672 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
PRC - [2013/01/10 14:12:20 | 001,103,424 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
PRC - [2012/07/18 22:07:06 | 000,310,232 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
PRC - [2011/10/12 23:11:34 | 002,068,856 | ---- | M] (Flexera Software LLC.) -- C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
PRC - [2011/10/12 23:11:32 | 001,446,264 | ---- | M] (Flexera Software LLC.) -- C:\ProgramData\FLEXnet\Connect\11\agent.exe
PRC - [2011/05/28 19:39:11 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
PRC - [2011/04/15 13:18:06 | 001,646,056 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2010/11/24 00:08:22 | 001,660,232 | ---- | M] (Bootstrap Software Development) -- C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe
PRC - [2010/08/20 09:06:56 | 000,487,562 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
PRC - [2010/07/02 05:10:26 | 002,533,400 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2010/07/02 05:10:22 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
PRC - [2010/03/03 20:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/02/04 13:05:56 | 000,107,176 | ---- | M] (Lexmark International Inc.) -- C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe
PRC - [2010/02/04 13:05:54 | 000,660,136 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe
PRC - [2009/10/15 18:10:28 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe

========== Modules (No Company Name) ==========

MOD - [2014/06/19 20:09:33 | 008,890,536 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\1033\GrooveIntlResource.dll
MOD - [2014/06/19 20:01:19 | 001,032,360 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\ADDINS\UmOutlookAddin.dll
MOD - [2014/06/19 17:12:58 | 000,316,584 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\appvisvstream32.dll
MOD - [2014/05/24 11:34:48 | 000,122,024 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\JitV.dll
MOD - [2014/01/20 13:17:04 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014/01/20 13:16:38 | 001,044,808 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013/09/05 00:14:10 | 004,300,456 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2013/07/24 09:24:52 | 000,137,728 | ---- | M] () -- C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
MOD - [2013/05/16 10:55:28 | 000,161,112 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
MOD - [2013/05/16 10:55:26 | 000,113,496 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2013/05/16 10:55:24 | 000,416,600 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2013/01/15 18:48:26 | 000,348,992 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\madexcept_.bpl
MOD - [2013/01/15 18:48:26 | 000,051,008 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\maddisAsm_.bpl
MOD - [2013/01/15 18:48:24 | 000,183,616 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\madbasic_.bpl
MOD - [2013/01/15 18:47:56 | 000,893,248 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\webres.dll
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/02/04 13:05:54 | 000,660,136 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe
MOD - [2009/10/15 18:10:28 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
MOD - [2009/07/24 00:49:04 | 000,782,336 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdndrs.dll
MOD - [2009/07/24 00:48:28 | 000,380,928 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdnscw.dll
MOD - [2009/05/14 18:46:40 | 000,081,920 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdncaps.dll
MOD - [2007/10/12 23:24:46 | 000,364,544 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\iptk.dll
MOD - [2007/10/02 19:51:09 | 000,069,632 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdncnv4.dll
MOD - [2007/05/29 12:39:08 | 000,589,824 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdndatr.dll
MOD - [2007/03/26 12:39:35 | 000,073,728 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdncats.dll

========== Services (SafeList) ==========

SRV:*64bit:* - [2014/05/30 18:21:05 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:*64bit:* - [2014/05/21 03:28:26 | 002,279,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe -- (ClickToRunSvc)
SRV:*64bit:* - [2014/04/17 06:12:45 | 006,817,544 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:*64bit:* - [2014/03/26 04:22:18 | 002,264,280 | ---- | M] (COMODO) [On_Demand | Stopped] -- C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe -- (cmdvirth)
SRV:*64bit:* - [2014/02/15 02:38:42 | 008,117,904 | ---- | M] () [Auto | Running] -- C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe -- (GsServer)
SRV:*64bit:* - [2013/10/28 18:02:18 | 002,255,064 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Windows\SysNative\BtwRSupportService.exe -- (BcmBtRSupport)
SRV:*64bit:* - [2013/09/12 12:06:22 | 001,337,752 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV:*64bit:* - [2013/05/27 14:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:*64bit:* - [2012/07/12 03:54:58 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:*64bit:* - [2010/09/23 09:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:*64bit:* - [2010/03/06 01:26:38 | 001,425,168 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:*64bit:* - [2010/03/06 01:07:58 | 000,340,240 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS)
SRV:*64bit:* - [2010/03/06 01:06:22 | 000,831,760 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:*64bit:* - [2009/11/18 11:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:*64bit:* - [2009/07/01 18:54:02 | 000,864,032 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV:*64bit:* - [2009/04/28 14:58:52 | 000,029,184 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\spool\DRIVERS\x64\3\\lxdnserv.exe -- (lxdnCATSCustConnectService)
SRV:*64bit:* - [2007/11/28 19:51:42 | 001,039,872 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\lxdncoms.exe -- (lxdn_device)
SRV - [2014/05/21 19:22:08 | 002,135,232 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe -- (DragonUpdater)
SRV - [2014/05/14 22:48:49 | 000,257,712 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/05/08 22:48:38 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2014/05/04 16:37:30 | 002,152,736 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe -- (LiveUpdateSvc)
SRV - [2014/04/29 18:22:01 | 000,097,776 | ---- | M] (Black Oak Computers, Inc.) [Auto | Running] -- C:\Program Files (x86)\StrongVPN\StrongService.exe -- (StrongVPN Service)
SRV - [2014/01/14 14:50:06 | 000,881,952 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe -- (AdvancedSystemCareService7)
SRV - [2013/10/23 08:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/10/13 12:19:08 | 003,783,672 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2013/03/20 19:28:20 | 007,084,672 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe -- (syncagentsrv)
SRV - [2013/02/15 13:01:52 | 001,143,720 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2012/07/18 22:07:06 | 000,310,232 | ---- | M] (Nuance Communications, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe -- (DragonSvc)
SRV - [2011/04/17 10:57:28 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2011/04/15 13:18:06 | 001,646,056 | ---- | M] (Rosetta Stone Ltd.) [Auto | Running] -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2010/07/02 05:10:26 | 002,533,400 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2010/07/02 05:10:22 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2010/03/03 20:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2010/01/30 00:40:16 | 001,043,584 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\digital imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009/06/11 06:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/04/28 14:58:52 | 000,029,184 | ---- | M] () [Auto | Stopped] -- C:\Windows\system32\spool\DRIVERS\x64\3\\lxdnserv.exe -- (lxdnCATSCustConnectService)
SRV - [2007/11/28 19:12:40 | 000,589,824 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysWOW64\lxdncoms.exe -- (lxdn_device)

========== Driver Services (SafeList) ==========

DRV:*64bit:* - [2014/04/17 06:12:55 | 000,023,168 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:*64bit:* - [2013/10/28 18:02:16 | 000,170,712 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bcbtums.sys -- (bcbtums)
DRV:*64bit:* - [2013/10/13 12:19:15 | 000,367,200 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:*64bit:* - [2013/10/13 12:18:59 | 001,462,560 | ---- | M] (Acronis International GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tdrpman.sys -- (tdrpman)
DRV:*64bit:* - [2013/10/13 12:18:44 | 000,183,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tib_mounter.sys -- (tib_mounter)
DRV:*64bit:* - [2013/10/13 12:18:42 | 001,120,032 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tib.sys -- (tib)
DRV:*64bit:* - [2013/10/13 12:18:29 | 000,161,568 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vididr.sys -- (vididr)
DRV:*64bit:* - [2013/10/13 12:18:12 | 000,117,024 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vidsflt.sys -- (vidsflt)
DRV:*64bit:* - [2013/10/13 12:18:04 | 000,233,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:*64bit:* - [2013/10/13 12:17:57 | 000,108,832 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\fltsrv.sys -- (fltsrv)
DRV:*64bit:* - [2013/09/17 15:17:38 | 000,239,320 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm)
DRV:*64bit:* - [2013/09/17 15:17:38 | 000,168,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv)
DRV:*64bit:* - [2013/09/17 15:17:38 | 000,157,432 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV:*64bit:* - [2013/08/10 20:13:31 | 000,035,520 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tapstrong.sys -- (tapstrong)
DRV:*64bit:* - [2013/08/09 20:02:14 | 000,166,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwampfl.sys -- (btwampfl)
DRV:*64bit:* - [2013/07/05 04:00:56 | 011,530,992 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwsw00.sys -- (NETwNs64)
DRV:*64bit:* - [2013/05/13 15:36:06 | 000,050,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:*64bit:* - [2013/03/25 14:41:46 | 000,076,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
DRV:*64bit:* - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:*64bit:* - [2012/12/09 23:33:41 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:*64bit:* - [2012/12/09 23:33:40 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:*64bit:* - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:*64bit:* - [2012/07/20 20:49:00 | 000,036,736 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:*64bit:* - [2012/03/01 15:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:*64bit:* - [2011/08/24 06:12:57 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:*64bit:* - [2011/07/23 01:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:*64bit:* - [2011/07/13 06:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:*64bit:* - [2011/05/13 03:21:04 | 000,177,640 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdm.sys -- (ssadmdm)
DRV:*64bit:* - [2011/05/13 03:21:04 | 000,146,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadserd.sys -- (ssadserd)
DRV:*64bit:* - [2011/05/13 03:21:02 | 000,157,672 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadbus.sys -- (ssadbus)
DRV:*64bit:* - [2011/05/13 03:21:02 | 000,036,328 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadadb.sys -- (androidusb)
DRV:*64bit:* - [2011/05/13 03:21:02 | 000,016,872 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdfl.sys -- (ssadmdfl)
DRV:*64bit:* - [2011/03/11 15:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:*64bit:* - [2011/03/11 15:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:*64bit:* - [2010/11/20 22:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:*64bit:* - [2010/10/29 16:11:42 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:*64bit:* - [2010/08/13 01:51:30 | 000,175,168 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:*64bit:* - [2010/07/20 22:40:38 | 010,603,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:*64bit:* - [2010/05/07 19:44:32 | 000,321,584 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:*64bit:* - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:*64bit:* - [2010/03/18 15:21:58 | 007,680,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64)
DRV:*64bit:* - [2010/03/04 12:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:*64bit:* - [2010/02/27 22:02:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:*64bit:* - [2010/01/18 16:40:26 | 000,004,608 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rcmirror.sys -- (rcmirror)
DRV:*64bit:* - [2009/12/23 02:18:50 | 000,074,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:*64bit:* - [2009/09/18 05:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:*64bit:* - [2009/07/15 14:56:20 | 000,132,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:*64bit:* - [2009/07/15 14:56:20 | 000,098,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:*64bit:* - [2009/07/15 14:56:20 | 000,035,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwl2cap.sys -- (btwl2cap)
DRV:*64bit:* - [2009/07/15 14:56:16 | 000,021,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
DRV:*64bit:* - [2009/07/14 10:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:*64bit:* - [2009/07/14 10:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:*64bit:* - [2009/07/14 10:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:*64bit:* - [2009/07/09 18:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:*64bit:* - [2009/06/11 05:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:*64bit:* - [2009/06/11 05:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:*64bit:* - [2009/06/11 05:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:*64bit:* - [2009/06/11 05:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:*64bit:* - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV:*64bit:* - [2006/11/02 03:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/14 10:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:*64bit:* - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE:*64bit:* - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:*64bit:* - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE:*64bit:* - HKLM\..\SearchScopes\{860629A3-1AA9-4E10-B54B-D38AC282143A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{86D5D4B2-7CCD-4A4F-9995-6762EEFD03A2}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.yahoo.com?fr=fp-comodo
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\.DEFAULT\..\SearchScopes\{8EEAC88A-079B-4b2c-80C1-7836F79EB40A}: "URL" = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.yahoo.com?fr=fp-comodo
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\..\SearchScopes\{8EEAC88A-079B-4b2c-80C1-7836F79EB40A}: "URL" = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mentalfloss.com/
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://jp.msn.com/?rd=1
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co.kr/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGHP_enJP423
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:21320

========== FireFox ==========

FF:*64bit:* - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:*64bit:* - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF:*64bit:* - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.60.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.60.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Lync,version=15.0: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@palmsource.com/installer,version=1.0: C:\PROGRA~2\Palm\PACKAG~1\NPInstal.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\nuance.com/DragonRIAPlugin: C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\npDgnRia.dll (Nuance Communications Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Carl\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\MOZILLA THUNDERBIRD [2014/05/04 22:54:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2014/05/26 20:42:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2012/07/18 21:54:16 | 000,136,026 | ---- | M] ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2014/05/04 22:54:37 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2011/12/22 16:11:00 | 000,000,833 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:*64bit:* - BHO: (ExplorerWnd Helper) - {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
O2:*64bit:* - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O2:*64bit:* - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O2:*64bit:* - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2:*64bit:* - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2:*64bit:* - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:*64bit:* - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
O2:*64bit:* - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
O2:*64bit:* - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2:*64bit:* - BHO: (PrivDog Extension) - {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll (AdTrustMedia)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation)
O2 - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
O2 - BHO: (Ads Removal) - {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} - C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll (Adblock)
O2 - BHO: (Windows Live Messenger Companion Helper) - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Advanced SystemCare Browser Protection) - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)
O2 - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:*64bit:* - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:*64bit:* - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O3:*64bit:* - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:*64bit:* - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3:*64bit:* - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3:*64bit:* - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3:*64bit:* - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4:*64bit:* - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:*64bit:* - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe (COMODO)
O4:*64bit:* - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4:*64bit:* - HKLM..\Run: [EzPrint] C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe (Lexmark International Inc.)
O4:*64bit:* - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:*64bit:* - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:*64bit:* - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4:*64bit:* - HKLM..\Run: [lxdnmon.exe] C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe ()
O4:*64bit:* - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:*64bit:* - HKLM..\Run: [QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:*64bit:* - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:*64bit:* - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [AcronisTibMounterMonitor] C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe (AimerSoft)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BCSSync] C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [BSDAppUpdater] C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe (Bootstrap Software Development)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [HOfficeViewerUpdate] C:\Program Files (x86)\HNC\HOfficeViewer80\HncUtils\HncViewerChecker.exe (Hancom Inc(HNC).)
O4 - HKLM..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\isuspm.exe (Flexera Software LLC.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files (x86)\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files (x86)\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SDTray] C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Oracle Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe (Wondershare)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [Advanced SystemCare 7] C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe (IObit)
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Flexera Software LLC.)
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [RoboForm] C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [StrongVPN Client] C:\Program Files (x86)\StrongVPN\StrongDial.exe (Black Oak Computers, Inc.)
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware)
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - Startup: C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files (x86)\Password Safe\pwsafe.exe (SourceForge.net)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = 
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O9:*64bit:* - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:*64bit:* - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:*64bit:* - Extra Button: PrivDog - {2F5C139F-79BD-4C84-A95A-E7140525BC55} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll (AdTrustMedia)
O9:*64bit:* - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:*64bit:* - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:*64bit:* - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:*64bit:* - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:*64bit:* - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - Reg Error: Value error. File not found
O9:*64bit:* - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - Reg Error: Value error. File not found
O9:*64bit:* - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:*64bit:* - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PrivDog - {2F5C139F-79BD-4C84-A95A-E7140525BC55} - Reg Error: Key error. File not found
O9 - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - C:\Windows\SysNative\nlaapi.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - C:\Windows\SysNative\NapiNSP.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Windows\SysNative\wshbth.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation)
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:*64bit:* - Protocol_Catalog9\Catalog_Entries64\000000000011 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWOW64\wshbth.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corp.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O13*64bit:* - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..Trusted Domains: brs-llc.com ([tess] https in Trusted sites)
O15 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000\..Trusted Domains: google.com ([mail] https in Trusted sites)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support.microsoft.com/ActiveX/MSDcode.cab (Reg Error: Value error.)
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} https://h50203.www5.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab (GMNRev Class)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 168.126.63.1 168.126.63.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0}: DhcpNameServer = 168.126.63.1 168.126.63.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{71954841-135B-4F40-A9CD-043CD2C0A4F6}: NameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{722ED704-906C-46A6-8370-CBEB7A9BB0F6}: NameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0}: NameServer = 0.0.0.0
O18:*64bit:* - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\belarc - No CLSID value found
O18:*64bit:* - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\livecall - No CLSID value found
O18:*64bit:* - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\ms-help - No CLSID value found
O18:*64bit:* - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\msnim - No CLSID value found
O18:*64bit:* - Protocol\Handler\osf - No CLSID value found
O18:*64bit:* - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\skype4com - No CLSID value found
O18:*64bit:* - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:*64bit:* - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Handler\wlmailhtml - No CLSID value found
O18:*64bit:* - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher - No CLSID value found
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\osf {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files (x86)\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:*64bit:* - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:*64bit:* - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll) - C:\Program Files (x86)\Citrix\GoToAssist\615\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20:*64bit:* - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O21:*64bit:* - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28:*64bit:* - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O29:*64bit:* - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30:*64bit:* - LSA: Security Packages - (livessp) - C:\Windows\SysNative\livessp.dll (Microsoft Corp.)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\SysWow64\livessp.dll (Microsoft Corp.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:*64bit:* - HKLM\..comfile [open] -- "%1" %*
O35:*64bit:* - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:*64bit:* - HKLM\...com [@ = comfile] -- "%1" %*
O37:*64bit:* - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

ActiveX:*64bit:* {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:*64bit:* {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:*64bit:* {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
ActiveX:*64bit:* {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:*64bit:* {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:*64bit:* {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:*64bit:* {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:*64bit:* {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:*64bit:* {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:*64bit:* {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:*64bit:* {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:*64bit:* {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:*64bit:* {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:*64bit:* {7DEBE4EB-6B40-3766-BB35-5CBBC385DA37} - .NET Framework
ActiveX:*64bit:* {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:*64bit:* {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -UserConfig
ActiveX:*64bit:* {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:*64bit:* {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:*64bit:* {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:*64bit:* {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:*64bit:* {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:*64bit:* {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:*64bit:* {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:*64bit:* >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:*64bit:* >{F1A1006C-3342-412A-AF42-0DE7C8DC6D51} - RunDLL32 IEDKCS32.DLL,BrandIE4 CUSTOM
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {7DEBE4EB-6B40-3766-BB35-5CBBC385DA37} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - 
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP


----------



## referee07 (Sep 11, 2003)

OTL Log Results Post #2:

MsConfig:64bit - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk - C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe - (Audible, Inc.)
MsConfig:64bit - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotSync Manager.lnk - C:\Program Files (x86)\Palm\Hotsync.exe - (PalmSource, Inc)
MsConfig:64bit - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk - C:\Program Files (x86)\HP\digital imaging\bin\hpqtra08.exe - (Hewlett-Packard Co.)
MsConfig:64bit - StartUpFolder: C:^Users^Carl^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig:64bit - StartUpFolder: C:^Users^Carl^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Password Safe.lnk - C:\Program Files (x86)\Password Safe\pwsafe.exe - (SourceForge.net)
MsConfig:64bit - StartUpReg: *Dell DataSafe Online* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - StartUpReg: *DellStage* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - StartUpReg: *downloadhq* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - StartUpReg: *iTunesHelper* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - StartUpReg: *QuickTime Task* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - StartUpReg: *SoftickPPP* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - StartUpReg: *SSBkgdUpdate* - hkey= - key= - Reg Error: Value error. File not found
MsConfig:64bit - State: "startup" - Reg Error: Key error.
MsConfig:64bit - State: "services" - Reg Error: Key error.
MsConfig:64bit - State: "bootini" - Reg Error: Key error.

Drivers32:*64bit:* msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.pspgru - C:\Windows\SysWow64\PSPGRU.acm (Philips Austria GmbH - Speech Processing)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

SafeBootMin:*64bit:* !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com)
SafeBootMin:*64bit:* Base - Driver Group
SafeBootMin:*64bit:* Boot Bus Extender - Driver Group
SafeBootMin:*64bit:* Boot file system - Driver Group
SafeBootMin:*64bit:* File system - Driver Group
SafeBootMin:*64bit:* Filter - Driver Group
SafeBootMin:*64bit:* HelpSvc - Service
SafeBootMin:*64bit:* mcmscsvc - Service
SafeBootMin:*64bit:* MCODS - Service
SafeBootMin:*64bit:* PCI Configuration - Driver Group
SafeBootMin:*64bit:* PNP Filter - Driver Group
SafeBootMin:*64bit:* Primary disk - Driver Group
SafeBootMin:*64bit:* sacsvr - Service
SafeBootMin:*64bit:* SCSI Class - Driver Group
SafeBootMin:*64bit:* System Bus Extender - Driver Group
SafeBootMin:*64bit:* vmms - Service
SafeBootMin:*64bit:* WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:*64bit:* {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:*64bit:* {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:*64bit:* {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:*64bit:* {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:*64bit:* {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:*64bit:* {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:*64bit:* {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:*64bit:* {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:*64bit:* {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:*64bit:* {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:*64bit:* {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:*64bit:* {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:*64bit:* {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:*64bit:* {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:*64bit:* {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:*64bit:* {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:*64bit:* {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet:*64bit:* !SASCORE - C:\Program Files\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com)
SafeBootNet:*64bit:* Base - Driver Group
SafeBootNet:*64bit:* Boot Bus Extender - Driver Group
SafeBootNet:*64bit:* Boot file system - Driver Group
SafeBootNet:*64bit:* File system - Driver Group
SafeBootNet:*64bit:* Filter - Driver Group
SafeBootNet:*64bit:* HelpSvc - Service
SafeBootNet:*64bit:* mcmscsvc - Service
SafeBootNet:*64bit:* MCODS - Service
SafeBootNet:*64bit:* Messenger - Service
SafeBootNet:*64bit:* MpfService - Service
SafeBootNet:*64bit:* NDIS Wrapper - Driver Group
SafeBootNet:*64bit:* NetBIOSGroup - Driver Group
SafeBootNet:*64bit:* NetDDEGroup - Driver Group
SafeBootNet:*64bit:* Network - Driver Group
SafeBootNet:*64bit:* NetworkProvider - Driver Group
SafeBootNet:*64bit:* PCI Configuration - Driver Group
SafeBootNet:*64bit:* PNP Filter - Driver Group
SafeBootNet:*64bit:* PNP_TDI - Driver Group
SafeBootNet:*64bit:* Primary disk - Driver Group
SafeBootNet:*64bit:* rdsessmgr - Service
SafeBootNet:*64bit:* sacsvr - Service
SafeBootNet:*64bit:* SCSI Class - Driver Group
SafeBootNet:*64bit:* Streams Drivers - Driver Group
SafeBootNet:*64bit:* System Bus Extender - Driver Group
SafeBootNet:*64bit:* TDI - Driver Group
SafeBootNet:*64bit:* vmms - Service
SafeBootNet:*64bit:* WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet:*64bit:* WudfUsbccidDriver - Driver
SafeBootNet:*64bit:* {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet:*64bit:* {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet:*64bit:* {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet:*64bit:* {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet:*64bit:* {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet:*64bit:* {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet:*64bit:* {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet:*64bit:* {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet:*64bit:* {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet:*64bit:* {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet:*64bit:* {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet:*64bit:* {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet:*64bit:* {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet:*64bit:* {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet:*64bit:* {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet:*64bit:* {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet:*64bit:* {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet:*64bit:* {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet:*64bit:* {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet:*64bit:* {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet:*64bit:* {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet:*64bit:* {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SafeBootNet: HelpSvc - Service
SafeBootNet: mcmscsvc - Service
SafeBootNet: MCODS - Service
SafeBootNet: Messenger - Service
SafeBootNet: MpfService - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2014/06/25 22:25:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe
[2014/06/25 22:16:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2014/06/25 22:16:14 | 000,264,616 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/06/25 22:16:04 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/06/25 22:16:04 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/06/25 22:16:04 | 000,098,216 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/06/25 22:16:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/06/25 21:47:42 | 029,405,096 | ---- | C] (Oracle Corporation) -- C:\Users\Carl\Desktop\jre-7u60-windows-i586.exe
[2014/06/21 12:30:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
[2014/06/21 12:30:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 7
[2014/06/21 10:41:54 | 000,000,000 | ---D | C] -- C:\Windows\tasks\ImCleanDisabled
[2014/06/21 10:16:20 | 000,000,000 | ---D | C] -- C:\Users\Carl\AppData\Local\Adobe
[2014/06/15 11:01:00 | 000,000,000 | ---D | C] -- C:\FRST
[2014/06/14 08:11:51 | 000,801,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usp10.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml6r.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml6r.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2014/06/14 08:10:37 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/06/14 08:10:37 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2014/06/14 08:10:36 | 000,592,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2014/06/14 08:10:33 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2014/06/14 08:10:33 | 000,038,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2014/06/14 08:10:33 | 000,032,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2014/06/14 08:10:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2014/06/14 08:10:28 | 001,964,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2014/06/14 08:10:27 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2014/06/14 08:10:27 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2014/06/14 08:10:26 | 000,631,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2014/06/14 08:10:26 | 000,452,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2014/06/14 08:10:26 | 000,440,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2014/06/14 08:10:26 | 000,111,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2014/06/14 08:10:23 | 000,608,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2014/06/14 08:10:23 | 000,066,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2014/06/14 08:10:21 | 002,040,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2014/06/14 08:10:21 | 001,068,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2014/06/14 08:10:20 | 000,704,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2014/06/14 08:10:20 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2014/06/14 08:10:18 | 000,164,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2014/06/14 08:10:18 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2014/06/14 08:10:17 | 000,574,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2014/06/14 08:10:17 | 000,295,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2014/06/14 08:10:14 | 005,782,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2014/06/14 08:10:14 | 001,249,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2014/06/14 08:10:14 | 000,752,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2014/06/14 08:10:14 | 000,139,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2014/06/14 08:10:14 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/06/14 08:10:13 | 000,548,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2014/06/14 08:10:12 | 000,846,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2014/06/14 08:10:12 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2014/06/14 08:10:11 | 000,940,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2014/06/12 20:14:23 | 003,178,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorets.dll
[2014/06/12 20:14:23 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RdpGroupPolicyExtension.dll
[2014/06/12 20:10:32 | 000,506,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/06/12 20:10:22 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/06/11 19:51:36 | 000,288,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2014/06/07 12:02:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/06/07 11:54:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2014/06/07 11:54:42 | 000,091,352 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/06/07 11:54:42 | 000,063,704 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
[2014/06/07 11:54:42 | 000,025,816 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2014/06/07 11:54:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
[2014/06/03 22:02:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2014/06/01 10:07:05 | 000,000,000 | ---D | C] -- C:\Users\Carl\Documents\Custom Office Templates
[2014/05/30 23:46:08 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSECache
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/06/25 22:25:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe
[2014/06/25 22:21:35 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job
[2014/06/25 22:20:08 | 000,022,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/06/25 22:20:08 | 000,022,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/06/25 22:15:32 | 000,098,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/06/25 22:15:26 | 000,264,616 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/06/25 22:15:26 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/06/25 22:15:25 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/06/25 22:10:48 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
[2014/06/25 22:10:17 | 000,000,316 | ---- | M] () -- C:\Windows\tasks\Start Driver Reviver for [email protected](logon).job
[2014/06/25 22:09:57 | 000,065,536 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl
[2014/06/25 22:09:20 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/06/25 22:09:03 | 3061,202,944 | -HS- | M] () -- C:\hiberfil.sys
[2014/06/25 22:08:06 | 000,000,000 | ---- | M] () -- C:\asc_rdflag
[2014/06/25 21:48:09 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/06/25 21:47:45 | 029,405,096 | ---- | M] (Oracle Corporation) -- C:\Users\Carl\Desktop\jre-7u60-windows-i586.exe
[2014/06/25 21:26:15 | 000,002,171 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare 7.lnk
[2014/06/25 20:00:00 | 000,000,508 | ---- | M] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task 89d96e21-0900-4f2a-9d96-c2751ce3503a.job
[2014/06/25 19:44:01 | 000,000,508 | ---- | M] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task b28be43d-0e44-486f-8b61-f2e15d77c340.job
[2014/06/25 18:00:01 | 000,000,466 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2014/06/22 20:43:30 | 000,000,132 | ---- | M] () -- C:\Users\Carl\Desktop\TalkToMeInKorean Curriculum Talk To Me In Korean.url
[2014/06/22 15:37:18 | 000,786,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/06/22 15:37:18 | 000,665,554 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/06/22 15:37:18 | 000,123,330 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/06/21 12:30:59 | 000,001,194 | ---- | M] () -- C:\Users\Public\Desktop\IObit Uninstaller.lnk
[2014/06/21 10:43:12 | 000,854,390 | ---- | M] () -- C:\Users\Carl\Desktop\SecurityCheck.exe
[2014/06/21 10:12:42 | 000,001,981 | ---- | M] () -- C:\Users\Carl\Documents\Adobe Reader XI.lnk
[2014/06/19 16:53:49 | 000,000,024 | ---- | M] () -- C:\Users\Carl\AppData\Roaming\temp.ini
[2014/06/16 21:24:42 | 000,000,190 | ---- | M] () -- C:\Users\Carl\Desktop\Verbix Languages Verbs-Korean Verb List.url
[2014/06/15 19:00:22 | 000,229,055 | ---- | M] () -- C:\Users\Carl\Desktop\Chameleon 3.png
[2014/06/15 18:19:49 | 000,192,514 | ---- | M] () -- C:\Users\Carl\Desktop\Chameleon 2.png
[2014/06/15 18:03:53 | 000,251,306 | ---- | M] () -- C:\Users\Carl\Desktop\Unable to Start Scan.png
[2014/06/15 17:08:32 | 000,091,352 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/06/15 11:14:32 | 000,003,155 | ---- | M] () -- C:\Users\Carl\AppData\Roaming\SAS7_000.DAT
[2014/06/14 22:56:06 | 000,128,728 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/06/11 22:31:22 | 000,001,054 | ---- | M] () -- C:\Users\Carl\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2014/06/08 18:13:05 | 000,506,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/06/08 18:08:04 | 000,424,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/06/08 17:15:30 | 000,000,118 | ---- | M] () -- C:\Users\Carl\Desktop\Cats.url
[2014/06/08 15:36:46 | 000,000,824 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014/06/07 11:54:48 | 000,001,068 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/06/07 09:33:00 | 000,042,911 | ---- | M] () -- C:\Users\Carl\Desktop\Don't make someone a priority when.....jpg
[2014/06/03 22:04:54 | 000,001,745 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2014/05/30 19:02:09 | 000,004,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2014/05/30 18:39:43 | 000,548,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2014/05/30 18:39:23 | 000,066,048 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2014/05/30 18:38:29 | 000,048,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2014/05/30 18:27:57 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2014/05/30 18:24:28 | 000,574,976 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2014/05/30 18:21:23 | 000,139,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2014/05/30 18:21:05 | 000,111,616 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2014/05/30 18:20:36 | 000,752,640 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2014/05/30 18:11:24 | 000,940,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2014/05/30 18:08:22 | 005,782,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2014/05/30 18:06:42 | 000,452,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2014/05/30 17:55:36 | 000,038,400 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2014/05/30 17:49:21 | 000,195,584 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2014/05/30 17:46:48 | 000,085,504 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/05/30 17:44:23 | 000,295,424 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2014/05/30 17:43:06 | 000,061,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2014/05/30 17:42:16 | 000,051,200 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2014/05/30 17:35:44 | 000,608,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2014/05/30 17:33:48 | 000,032,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2014/05/30 17:30:43 | 000,440,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2014/05/30 17:29:31 | 000,631,808 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2014/05/30 17:28:33 | 000,112,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2014/05/30 17:27:56 | 000,592,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2014/05/30 17:24:19 | 001,249,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2014/05/30 17:23:22 | 002,040,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2014/05/30 17:10:46 | 000,032,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2014/05/30 17:06:06 | 000,164,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2014/05/30 17:04:20 | 000,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/05/30 16:50:09 | 001,068,032 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2014/05/30 16:49:38 | 001,964,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2014/05/30 16:13:47 | 000,704,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2014/05/30 16:13:09 | 000,846,336 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2014/05/29 20:03:06 | 000,048,392 | ---- | M] (COMODO CA Limited) -- C:\Windows\SysWow64\certsentry.dll
[2014/05/29 20:03:04 | 000,057,096 | ---- | M] (COMODO CA Limited) -- C:\Windows\SysNative\certsentry.dll
[2014/05/27 21:18:54 | 000,000,224 | ---- | M] () -- C:\Users\Carl\Desktop\Welcome to TRICARE Online.url
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/06/25 22:08:06 | 000,000,000 | ---- | C] () -- C:\asc_rdflag
[2014/06/25 17:16:09 | 000,000,898 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job
[2014/06/25 17:16:06 | 000,000,894 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
[2014/06/22 20:43:30 | 000,000,132 | ---- | C] () -- C:\Users\Carl\Desktop\TalkToMeInKorean Curriculum Talk To Me In Korean.url
[2014/06/21 12:30:59 | 000,001,194 | ---- | C] () -- C:\Users\Public\Desktop\IObit Uninstaller.lnk
[2014/06/21 12:30:39 | 000,002,171 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare 7.lnk
[2014/06/21 10:43:11 | 000,854,390 | ---- | C] () -- C:\Users\Carl\Desktop\SecurityCheck.exe
[2014/06/21 10:18:17 | 000,001,981 | ---- | C] () -- C:\Users\Carl\Documents\Adobe Reader XI.lnk
[2014/06/21 10:12:41 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2014/06/19 16:53:49 | 000,000,024 | ---- | C] () -- C:\Users\Carl\AppData\Roaming\temp.ini
[2014/06/16 21:24:42 | 000,000,190 | ---- | C] () -- C:\Users\Carl\Desktop\Verbix Languages Verbs-Korean Verb List.url
[2014/06/15 19:00:21 | 000,229,055 | ---- | C] () -- C:\Users\Carl\Desktop\Chameleon 3.png
[2014/06/15 18:19:48 | 000,192,514 | ---- | C] () -- C:\Users\Carl\Desktop\Chameleon 2.png
[2014/06/15 18:05:52 | 000,251,306 | ---- | C] () -- C:\Users\Carl\Desktop\Unable to Start Scan.png
[2014/06/08 17:15:30 | 000,000,118 | ---- | C] () -- C:\Users\Carl\Desktop\Cats.url
[2014/06/07 11:54:48 | 000,001,068 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/06/07 09:33:00 | 000,042,911 | ---- | C] () -- C:\Users\Carl\Desktop\Don't make someone a priority when.....jpg
[2014/06/03 22:04:54 | 000,001,745 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2014/05/30 23:47:13 | 000,002,671 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Word Viewer 2003.lnk
[2014/05/27 21:18:54 | 000,000,224 | ---- | C] () -- C:\Users\Carl\Desktop\Welcome to TRICARE Online.url
[2013/12/24 20:54:09 | 000,004,096 | -H-- | C] () -- C:\Users\Carl\AppData\Local\keyfile3.drm
[2013/11/04 19:45:19 | 000,268,968 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll
[2013/07/25 20:19:09 | 000,003,358 | -H-- | C] () -- C:\Users\Carl\AppData\Local\cgoicqai.ini
[2013/07/13 21:15:25 | 000,006,834 | ---- | C] () -- C:\Users\Carl\FPC_Print.bat
[2013/04/16 12:54:58 | 000,000,673 | ---- | C] () -- C:\Windows\hpwmdl19.dat.temp
[2012/11/18 11:45:25 | 000,000,191 | ---- | C] () -- C:\Windows\SysWow64\CKUFR.DAT
[2012/08/02 19:50:32 | 000,348,160 | ---- | C] () -- C:\Windows\SysWow64\LXDNinst.dll
[2012/08/02 19:50:31 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdninpa.dll
[2012/08/02 19:50:31 | 000,339,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdniesc.dll
[2012/08/02 19:50:31 | 000,335,872 | ---- | C] () -- C:\Windows\SysWow64\lxdncomx.dll
[2012/08/02 19:50:30 | 000,843,776 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnusb1.dll
[2012/08/02 19:50:30 | 000,647,168 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnpmui.dll
[2012/08/02 19:50:29 | 001,101,824 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnserv.dll
[2012/08/02 19:50:29 | 000,569,344 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnlmpm.dll
[2012/08/02 19:50:29 | 000,315,392 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnih.exe
[2012/08/02 19:50:29 | 000,053,248 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnprox.dll
[2012/08/02 19:50:28 | 000,851,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncomc.dll
[2012/08/02 19:50:28 | 000,663,552 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnhbn3.dll
[2012/08/02 19:50:28 | 000,589,824 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncoms.exe
[2012/08/02 19:50:28 | 000,376,832 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncomm.dll
[2012/08/02 19:50:28 | 000,360,448 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncfg.exe
[2012/05/06 05:14:45 | 000,005,632 | ---- | C] () -- C:\Users\Carl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/26 19:46:40 | 000,000,000 | ---- | C] () -- C:\Users\Carl\AppData\Local\{23DA9B32-6450-4418-B150-8BDE91B56D0B}
[2011/04/28 19:49:02 | 000,000,000 | ---- | C] () -- C:\Users\Carl\AppData\Local\{38E7C93E-FC7A-4959-9865-9A95BA0C8192}
[2011/03/23 11:40:27 | 000,943,104 | ---- | C] () -- C:\Program Files\amis.exe
[2011/03/19 22:12:43 | 000,003,155 | ---- | C] () -- C:\Users\Carl\AppData\Roaming\SAS7_000.DAT

========== ZeroAccess Check ==========

[2009/07/14 13:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/03/25 11:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/03/25 11:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012/12/24 23:13:14 | 000,857,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2012/12/24 23:13:14 | 000,636,928 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012/12/24 23:13:14 | 000,453,120 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014/06/25 00:21:21 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\.strongvpn
[2011/12/03 08:10:59 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\048ED3D2-ED94-47E9-AEF2-F643B4C7A990
[2012/06/30 21:53:54 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\15DA7D08-71CA-4472-98B5-F3252603105D
[2011/12/03 08:10:59 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\801FEDA4-82AA-445A-BB17-B12E898643B5
[2011/12/02 17:49:19 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\9E5C3759-6EC8-476C-8AA9-DD7CEB851C9C
[2012/02/25 12:21:22 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Acapela Group
[2011/12/02 18:07:27 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Acronis
[2011/03/20 11:32:14 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Auslogics
[2013/07/11 20:31:58 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Backup Tickets
[2011/12/02 17:59:56 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\BAEB9C37-1055-4134-BFBE-ED69F07AA6DB
[2011/03/20 17:06:53 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\BSD
[2011/03/20 07:55:23 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\CACAEE6B-6EBD-41F6-ADF3-FDF7F910E94A
[2014/02/23 11:17:49 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Configuration
[2013/10/13 12:18:38 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\DC6DAAFA-AFBE-42CE-99F8-E741A07CCBD3
[2014/05/04 22:08:44 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ESET
[2013/07/25 21:17:50 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\FileZilla
[2011/03/19 23:59:46 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Gmail Notifier Plus
[2014/06/01 10:29:48 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\GoodSync
[2014/05/08 11:17:55 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\GooPatient
[2012/09/22 20:02:27 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\HNC
[2011/04/02 07:50:08 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\HotSync
[2014/03/06 20:45:16 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\IObit
[2011/06/26 19:48:11 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\iolo
[2011/03/20 08:29:25 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Leadertech
[2014/01/04 10:43:45 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Nuance
[2011/03/20 20:54:40 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Palo Alto Software
[2011/03/20 11:40:55 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ParetoLogic
[2011/03/20 11:10:08 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\PCDr
[2014/05/26 20:42:48 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ProductData
[2013/07/09 20:24:31 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\RoboForm
[2013/07/25 22:14:45 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Samsung
[2012/01/15 11:09:12 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ShowNumbers Plus!
[2013/11/16 21:09:35 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\TeamViewer
[2013/07/11 20:32:00 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Temp
[2012/06/03 07:53:49 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\TheSage
[2011/03/23 09:28:29 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WindSolutions
[2011/03/20 11:34:42 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WinPatrol
[2013/08/05 20:13:35 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Wondershare
[2011/03/22 19:23:34 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WordWeb
[2013/04/24 08:29:25 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\IObit
[2013/04/24 08:29:25 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\IObit


----------



## referee07 (Sep 11, 2003)

OTL Log Results Post #3:

========== Purity Check ==========

========== Custom Scans ==========

========== Drive Information ==========

Physical Drives
---------------

Drive: \\\\.\\PHYSICALDRIVE0 - Fixed hard disk media
Interface type: IDE
Media Type: Fixed hard disk media
Model: ST9500325AS
Partitions: 3
Status: OK
Status Info: 0

Partitions
---------------

DeviceID: Disk #0, Partition #0
PartitionType: Unknown
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 102.00MB
Starting Offset: 32256
Hidden sectors: 0

DeviceID: Disk #0, Partition #1
PartitionType: Installable File System
Bootable: True
BootPartition: True
PrimaryPartition: True
Size: 15.00GB
Starting Offset: 106928640
Hidden sectors: 0

DeviceID: Disk #0, Partition #2
PartitionType: Installable File System
Bootable: False
BootPartition: False
PrimaryPartition: True
Size: 451.00GB
Starting Offset: 15835568640
Hidden sectors: 0

< %systemroot%\assembly\GAC_32\*.ini >

< %systemroot%\assembly\GAC_64\*.ini >

< %ALLUSERSPROFILE%\Application Data\*.exe >

< %APPDATA%\*. >
[2014/06/25 00:21:21 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\.strongvpn
[2011/12/03 08:10:59 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\048ED3D2-ED94-47E9-AEF2-F643B4C7A990
[2012/06/30 21:53:54 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\15DA7D08-71CA-4472-98B5-F3252603105D
[2011/12/03 08:10:59 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\801FEDA4-82AA-445A-BB17-B12E898643B5
[2011/12/02 17:49:19 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\9E5C3759-6EC8-476C-8AA9-DD7CEB851C9C
[2012/02/25 12:21:22 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Acapela Group
[2011/12/02 18:07:27 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Acronis
[2012/04/28 19:02:03 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Adobe
[2012/10/28 14:15:03 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Apple Computer
[2011/04/02 07:51:53 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Arcsoft
[2011/03/20 11:32:14 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Auslogics
[2013/07/11 20:31:58 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Backup Tickets
[2011/12/02 17:59:56 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\BAEB9C37-1055-4134-BFBE-ED69F07AA6DB
[2011/03/20 17:06:53 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\BSD
[2011/03/20 07:55:23 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\CACAEE6B-6EBD-41F6-ADF3-FDF7F910E94A
[2014/02/23 11:17:49 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Configuration
[2011/03/20 08:29:22 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Creative
[2013/10/13 12:18:38 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\DC6DAAFA-AFBE-42CE-99F8-E741A07CCBD3
[2011/03/20 08:29:37 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Dell
[2011/03/20 08:29:20 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Dell Touch Zone
[2014/05/04 22:08:44 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ESET
[2013/07/25 21:17:50 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\FileZilla
[2011/11/30 21:17:55 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\FLEXnet
[2011/03/19 23:59:46 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Gmail Notifier Plus
[2014/06/01 10:29:48 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\GoodSync
[2011/03/20 07:36:11 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Google
[2014/05/08 11:17:55 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\GooPatient
[2012/09/22 20:02:27 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\HNC
[2011/04/02 07:50:08 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\HotSync
[2011/03/29 20:16:57 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\HP
[2011/04/17 09:22:09 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\hpqLog
[2011/03/20 08:28:51 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Identities
[2011/04/16 20:07:51 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\InstallShield
[2011/03/20 08:29:27 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Intel
[2014/03/06 20:45:16 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\IObit
[2011/06/26 19:48:11 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\iolo
[2011/03/20 08:29:25 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Leadertech
[2011/03/19 19:22:05 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Macromedia
[2014/05/04 09:31:29 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Malwarebytes
[2009/07/14 16:44:38 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Media Center Programs
[2014/06/15 13:11:20 | 000,000,000 | --SD | M] -- C:\Users\Carl\AppData\Roaming\Microsoft
[2011/03/20 08:43:53 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Mozilla
[2014/01/04 10:43:45 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Nuance
[2011/03/20 20:54:40 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Palo Alto Software
[2011/03/20 11:40:55 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ParetoLogic
[2011/03/20 11:10:08 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\PCDr
[2014/05/26 20:42:48 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ProductData
[2014/04/17 23:18:49 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Real
[2013/07/09 20:24:31 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\RoboForm
[2011/03/20 08:29:32 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Roxio
[2013/07/25 22:14:45 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Samsung
[2012/01/15 11:09:12 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\ShowNumbers Plus!
[2014/02/25 19:31:18 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Skype
[2013/04/09 19:43:39 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\SUPERAntiSpyware.com
[2013/11/16 21:09:35 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\TeamViewer
[2013/07/11 20:32:00 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Temp
[2012/06/03 07:53:49 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\TheSage
[2011/03/23 09:28:29 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WindSolutions
[2011/03/20 11:34:42 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WinPatrol
[2013/08/05 20:13:35 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Wondershare
[2011/03/22 19:23:34 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\WordWeb
[2011/03/23 13:51:37 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\Yahoo!

< %SYSTEMDRIVE%\*.* >
[2013/04/06 19:27:51 | 000,000,822 | ---- | M] () -- C:\AdwCleaner[R1].txt
[2013/04/06 20:26:57 | 000,000,897 | ---- | M] () -- C:\AdwCleaner[R2].txt
[2013/04/05 08:34:42 | 000,001,279 | ---- | M] () -- C:\AdwCleaner[S1].txt
[2013/04/05 22:29:05 | 000,000,704 | ---- | M] () -- C:\AdwCleaner[S2].txt
[2013/04/06 09:34:05 | 000,000,763 | ---- | M] () -- C:\AdwCleaner[S3].txt
[2014/06/25 22:08:06 | 000,000,000 | ---- | M] () -- C:\asc_rdflag
[2010/06/08 18:58:37 | 000,000,043 | ---- | M] () -- C:\CKINFO.TXT
[2011/01/21 03:15:54 | 000,003,923 | -H-- | M] () -- C:\dell.sdr
[2010/05/23 08:18:34 | 000,000,252 | ---- | M] () -- C:\EventLOG.txt
[2012/02/26 20:04:35 | 000,002,277 | ---- | M] () -- C:\GingerSetup.log
[2014/06/25 22:09:03 | 3061,202,944 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/05 21:39:20 | 000,000,160 | ---- | M] () -- C:\log.txt
[2014/06/25 22:09:10 | 4081,606,656 | -HS- | M] () -- C:\pagefile.sys
[2011/12/28 19:37:10 | 000,036,182 | ---- | M] () -- C:\RPSetup.exe.log
[2014/05/24 11:26:04 | 000,076,588 | ---- | M] () -- C:\WindowsALGER.tt2
[2014/05/24 11:26:24 | 000,047,644 | ---- | M] () -- C:\WindowsBAUHS93.tt2
[2014/05/24 11:26:28 | 000,056,596 | ---- | M] () -- C:\WindowsHARLOWSI.tt2
[2014/05/24 11:26:28 | 000,094,064 | ---- | M] () -- C:\WindowsLEELAWAD.tt2
[2014/05/24 11:26:28 | 000,093,836 | ---- | M] () -- C:\WindowsLEELAWDB.tt2
[2014/05/24 11:26:39 | 021,302,624 | ---- | M] () -- C:\WindowsMSJH.tt2
[2014/05/24 11:26:43 | 014,343,024 | ---- | M] () -- C:\WindowsMSJHBD.tt2
[2014/05/24 11:26:51 | 000,222,632 | ---- | M] () -- C:\WindowsMSUIGHUR.tt2
[2014/05/24 11:26:53 | 021,543,568 | ---- | M] () -- C:\WindowsMSYH.tt2
[2014/05/24 11:27:08 | 014,381,616 | ---- | M] () -- C:\WindowsMSYHBD.tt2
[2014/05/24 11:27:14 | 000,066,696 | ---- | M] () -- C:\WindowsVIVALDII.tt2
[2011/12/30 09:24:49 | 000,004,369 | ---- | M] () -- C:\WirelessDiagLog.csv

< %PROGRAMFILES%\*.exe >

< %LOCALAPPDATA%\*.exe >

< %windir%\Installer\*.* >
[2012/04/05 01:54:48 | 008,301,056 | R--- | M] () -- C:\Windows\Installer\103d850.msp
[2012/04/05 01:56:02 | 002,820,096 | R--- | M] () -- C:\Windows\Installer\103d866.msp
[2012/06/20 02:00:10 | 003,461,120 | R--- | M] () -- C:\Windows\Installer\103d87c.msp
[2012/06/20 01:29:46 | 005,262,848 | R--- | M] () -- C:\Windows\Installer\103d895.msp
[2014/03/24 21:54:46 | 000,548,352 | ---- | M] () -- C:\Windows\Installer\108d405.msi
[2014/03/05 06:24:38 | 000,327,680 | R--- | M] () -- C:\Windows\Installer\108d40d.msp
[2012/05/17 02:58:50 | 003,462,144 | R--- | M] () -- C:\Windows\Installer\1108ea.msp
[2012/07/04 08:37:58 | 002,226,176 | ---- | M] () -- C:\Windows\Installer\11196d.msi
[2014/05/08 12:58:30 | 033,091,584 | ---- | M] () -- C:\Windows\Installer\11258f.msi
[2011/10/16 14:38:36 | 100,966,912 | R--- | M] () -- C:\Windows\Installer\118559.msp
[2011/10/26 22:49:42 | 010,427,392 | R--- | M] () -- C:\Windows\Installer\118560.msp
[2011/10/26 22:49:36 | 016,245,760 | R--- | M] () -- C:\Windows\Installer\118567.msp
[2011/10/26 22:47:50 | 010,328,064 | R--- | M] () -- C:\Windows\Installer\118570.msp
[2011/10/26 22:46:54 | 001,833,472 | R--- | M] () -- C:\Windows\Installer\118586.msp
[2011/10/26 22:46:12 | 000,794,112 | R--- | M] () -- C:\Windows\Installer\11859c.msp
[2011/12/01 16:16:00 | 003,464,704 | R--- | M] () -- C:\Windows\Installer\1185b2.msp
[2011/10/16 14:28:16 | 001,138,688 | R--- | M] () -- C:\Windows\Installer\1185c8.msp
[2011/10/16 14:45:34 | 004,966,912 | R--- | M] () -- C:\Windows\Installer\1185de.msp
[2011/10/26 22:45:40 | 066,426,368 | R--- | M] () -- C:\Windows\Installer\1185f5.msp
[2011/07/26 16:58:06 | 003,462,144 | R--- | M] () -- C:\Windows\Installer\11efb3.msp
[2012/07/28 18:58:56 | 000,848,384 | ---- | M] () -- C:\Windows\Installer\1235be.msi
[2013/04/16 11:17:08 | 003,461,120 | R--- | M] () -- C:\Windows\Installer\125535.msp
[2013/03/06 20:01:58 | 008,236,032 | R--- | M] () -- C:\Windows\Installer\12554f.msp
[2013/04/23 07:37:22 | 018,159,104 | R--- | M] () -- C:\Windows\Installer\12556d.msp
[2012/07/09 15:05:08 | 006,149,120 | ---- | M] () -- C:\Windows\Installer\13740c1.msi
[2011/11/30 20:57:03 | 039,773,184 | ---- | M] () -- C:\Windows\Installer\146ba0.msi
[2003/10/02 15:56:58 | 003,255,432 | ---- | M] () -- C:\Windows\Installer\147400.msi
[2011/03/20 08:53:10 | 000,848,384 | ---- | M] () -- C:\Windows\Installer\147441.msi
[2011/03/20 08:57:23 | 044,649,472 | ---- | M] () -- C:\Windows\Installer\14744a.msi
[2012/12/15 05:58:53 | 047,987,200 | ---- | M] () -- C:\Windows\Installer\156e13.msi
[2014/05/14 23:36:54 | 000,570,880 | R--- | M] () -- C:\Windows\Installer\15c9fa4.msp
[2014/05/14 23:37:18 | 003,453,952 | R--- | M] () -- C:\Windows\Installer\15c9fba.msp
[2014/05/15 10:14:36 | 071,414,272 | R--- | M] () -- C:\Windows\Installer\15c9fd2.msp
[2014/03/01 08:43:10 | 011,513,856 | ---- | M] () -- C:\Windows\Installer\181d70.msi
[2012/11/10 21:12:06 | 000,868,864 | ---- | M] () -- C:\Windows\Installer\186aa2.msi
[2012/03/15 13:11:26 | 001,989,632 | R--- | M] () -- C:\Windows\Installer\1b1237.msp
[2012/03/15 13:11:30 | 066,812,928 | R--- | M] () -- C:\Windows\Installer\1b124e.msp
[2012/03/15 13:12:04 | 004,968,960 | R--- | M] () -- C:\Windows\Installer\1b1265.msp
[2012/03/15 13:09:50 | 017,165,312 | R--- | M] () -- C:\Windows\Installer\1b1283.msp
[2012/04/23 10:32:14 | 003,460,096 | R--- | M] () -- C:\Windows\Installer\1b12ce.msp
[2009/04/22 12:47:04 | 000,303,104 | ---- | M] () -- C:\Windows\Installer\1b6a36.msi
[2014/01/07 04:00:36 | 003,088,384 | ---- | M] () -- C:\Windows\Installer\1c69ca.msi
[2014/06/25 17:15:17 | 000,026,112 | ---- | M] () -- C:\Windows\Installer\1cda9c.msi
[2013/09/12 21:44:20 | 001,544,192 | ---- | M] () -- C:\Windows\Installer\1dead41.msi
[2012/02/29 23:55:44 | 003,462,656 | R--- | M] () -- C:\Windows\Installer\1fe5e0.msp
[2012/03/21 05:57:52 | 001,591,808 | R--- | M] () -- C:\Windows\Installer\20761f.msp
[2012/03/21 05:58:06 | 000,133,120 | R--- | M] () -- C:\Windows\Installer\207625.msp
[2012/02/17 03:50:50 | 001,236,480 | R--- | M] () -- C:\Windows\Installer\20763b.msp
[2012/04/01 16:27:20 | 003,463,168 | R--- | M] () -- C:\Windows\Installer\207651.msp
[2012/03/07 15:03:14 | 023,710,208 | R--- | M] () -- C:\Windows\Installer\20766d.msp
[2012/03/07 15:01:28 | 001,907,712 | R--- | M] () -- C:\Windows\Installer\207675.msp
[2012/02/09 07:27:42 | 000,206,848 | R--- | M] () -- C:\Windows\Installer\20768b.msp
[2011/04/02 07:49:51 | 065,776,128 | ---- | M] () -- C:\Windows\Installer\23eff3.msi
[2011/03/17 19:27:48 | 003,462,656 | R--- | M] () -- C:\Windows\Installer\2472e2.msp
[2011/01/14 11:50:20 | 044,318,720 | R--- | M] () -- C:\Windows\Installer\2472fa.msp
[2010/10/23 02:18:50 | 001,508,864 | R--- | M] () -- C:\Windows\Installer\24730f.msp
[2010/10/23 02:18:54 | 000,126,976 | R--- | M] () -- C:\Windows\Installer\247315.msp
[2011/04/16 02:25:12 | 000,932,864 | ---- | M] () -- C:\Windows\Installer\2493529.msi
[2013/08/14 02:42:00 | 000,027,648 | R--- | M] () -- C:\Windows\Installer\25ed299.msp
[2013/06/28 04:36:48 | 011,634,176 | R--- | M] () -- C:\Windows\Installer\25f1342.msp
[2013/06/28 03:57:48 | 006,578,688 | R--- | M] () -- C:\Windows\Installer\25f1353.msp
[2013/07/15 19:15:22 | 662,040,064 | R--- | M] () -- C:\Windows\Installer\25f1584.msp
[2013/06/28 04:29:22 | 001,220,096 | R--- | M] () -- C:\Windows\Installer\25f158a.msp
[2013/06/28 04:14:16 | 017,591,808 | R--- | M] () -- C:\Windows\Installer\25f15a2.msp
[2013/06/28 03:45:06 | 015,785,984 | R--- | M] () -- C:\Windows\Installer\25f15ca.msp
[2013/06/28 04:28:42 | 021,856,256 | R--- | M] () -- C:\Windows\Installer\25f15d0.msp
[2013/06/28 04:25:06 | 003,651,584 | R--- | M] () -- C:\Windows\Installer\25f160e.msp
[2013/06/28 04:31:26 | 011,771,392 | R--- | M] () -- C:\Windows\Installer\25f162b.msp
[2011/05/28 19:38:50 | 001,412,096 | ---- | M] () -- C:\Windows\Installer\26778d7.msi
[2011/05/28 19:38:50 | 000,386,497 | ---- | M] () -- C:\Windows\Installer\26778e0.msi
[2012/06/20 02:06:38 | 001,839,104 | R--- | M] () -- C:\Windows\Installer\271bde.msp
[2012/09/20 17:07:24 | 001,292,288 | R--- | M] () -- C:\Windows\Installer\291818.msp
[2012/09/20 17:07:20 | 016,380,928 | R--- | M] () -- C:\Windows\Installer\291821.msp
[2012/09/20 17:07:52 | 010,426,368 | R--- | M] () -- C:\Windows\Installer\29182d.msp
[2012/11/15 14:40:00 | 003,461,120 | R--- | M] () -- C:\Windows\Installer\291843.msp
[2012/10/20 18:19:46 | 013,278,720 | R--- | M] () -- C:\Windows\Installer\29184a.msp
[2012/10/20 18:02:46 | 009,073,664 | R--- | M] () -- C:\Windows\Installer\291860.msp
[2012/10/20 18:22:00 | 043,185,664 | R--- | M] () -- C:\Windows\Installer\291878.msp
[2012/10/20 18:02:18 | 000,261,120 | R--- | M] () -- C:\Windows\Installer\29188d.msp
[2011/01/21 22:14:50 | 008,810,496 | ---- | M] () -- C:\Windows\Installer\2a8da.msi
[2011/01/21 22:14:52 | 004,227,072 | ---- | M] () -- C:\Windows\Installer\2a8de.msi
[2011/01/21 22:14:52 | 000,026,112 | ---- | M] () -- C:\Windows\Installer\2a8e6.msi
[2011/01/21 22:14:52 | 000,074,240 | ---- | M] () -- C:\Windows\Installer\2a8ea.msi
[2011/01/21 22:14:53 | 002,856,448 | ---- | M] () -- C:\Windows\Installer\2a8ee.msi
[2011/01/21 22:14:53 | 000,053,248 | ---- | M] () -- C:\Windows\Installer\2a8f2.msi
[2011/01/21 22:14:53 | 000,037,888 | ---- | M] () -- C:\Windows\Installer\2a8f6.msi
[2011/01/21 22:14:54 | 009,433,088 | ---- | M] () -- C:\Windows\Installer\2a8fa.msi
[2011/01/21 22:14:57 | 007,710,720 | ---- | M] () -- C:\Windows\Installer\2a8fe.msi
[2011/01/21 22:14:56 | 004,680,704 | ---- | M] () -- C:\Windows\Installer\2a902.msi
[2011/01/21 22:14:57 | 002,343,936 | ---- | M] () -- C:\Windows\Installer\2a906.msi
[2011/01/21 22:14:58 | 000,147,968 | ---- | M] () -- C:\Windows\Installer\2a90a.msi
[2011/01/21 22:14:58 | 000,429,056 | ---- | M] () -- C:\Windows\Installer\2a90e.msi
[2011/01/21 22:14:58 | 004,004,864 | ---- | M] () -- C:\Windows\Installer\2a912.msi
[2011/01/21 22:14:59 | 002,312,704 | ---- | M] () -- C:\Windows\Installer\2a916.msi
[2011/01/21 22:15:01 | 008,332,288 | ---- | M] () -- C:\Windows\Installer\2a91a.msi
[2011/01/21 22:15:06 | 021,302,784 | ---- | M] () -- C:\Windows\Installer\2a91e.msi
[2011/01/21 22:15:07 | 003,664,384 | ---- | M] () -- C:\Windows\Installer\2a922.msi
[2011/01/21 22:15:08 | 003,734,016 | ---- | M] () -- C:\Windows\Installer\2a926.msi
[2011/01/21 22:15:10 | 013,850,624 | ---- | M] () -- C:\Windows\Installer\2a92a.msi
[2011/01/21 22:15:13 | 008,313,856 | ---- | M] () -- C:\Windows\Installer\2a92e.msi
[2011/01/21 22:15:14 | 001,819,136 | ---- | M] () -- C:\Windows\Installer\2a932.msi
[2011/01/21 22:15:22 | 034,193,408 | ---- | M] () -- C:\Windows\Installer\2a936.msi
[2011/01/21 22:15:25 | 011,846,656 | ---- | M] () -- C:\Windows\Installer\2a93a.msi
[2011/01/21 22:15:31 | 000,775,168 | ---- | M] () -- C:\Windows\Installer\2a93e.msi
[2011/01/21 22:15:33 | 006,363,136 | ---- | M] () -- C:\Windows\Installer\2a942.msi
[2011/01/21 22:15:36 | 006,195,200 | ---- | M] () -- C:\Windows\Installer\2a946.msi
[2011/01/21 22:15:36 | 003,454,976 | ---- | M] () -- C:\Windows\Installer\2a94a.msi
[2011/01/21 22:15:37 | 000,067,072 | ---- | M] () -- C:\Windows\Installer\2a94e.msi
[2011/01/21 22:15:38 | 001,492,992 | ---- | M] () -- C:\Windows\Installer\2a952.msi
[2011/01/21 22:15:38 | 001,070,592 | ---- | M] () -- C:\Windows\Installer\2a956.msi
[2011/01/21 22:15:40 | 006,660,608 | ---- | M] () -- C:\Windows\Installer\2a95a.msi
[2011/01/21 22:15:41 | 003,410,944 | ---- | M] () -- C:\Windows\Installer\2a95e.msi
[2011/01/21 22:15:43 | 004,175,360 | ---- | M] () -- C:\Windows\Installer\2a962.msi
[2011/01/21 22:15:42 | 004,250,112 | ---- | M] () -- C:\Windows\Installer\2a966.msi
[2011/01/21 22:15:44 | 000,153,600 | ---- | M] () -- C:\Windows\Installer\2a96a.msi
[2011/01/21 22:15:47 | 000,029,696 | ---- | M] () -- C:\Windows\Installer\2a96e.msi
[2011/01/21 22:15:48 | 002,631,168 | ---- | M] () -- C:\Windows\Installer\2a972.msi
[2011/01/21 22:15:48 | 000,074,240 | ---- | M] () -- C:\Windows\Installer\2a976.msi
[2011/01/21 22:15:48 | 000,056,832 | ---- | M] () -- C:\Windows\Installer\2a97a.msi
[2010/06/29 02:28:30 | 000,696,320 | ---- | M] () -- C:\Windows\Installer\2a9e8.msi
[2009/10/15 20:23:36 | 015,055,872 | ---- | M] () -- C:\Windows\Installer\2a9f5.msi
[2011/01/21 22:39:44 | 002,391,040 | ---- | M] () -- C:\Windows\Installer\2aa01.msi
[2010/11/11 08:55:48 | 004,118,528 | ---- | M] () -- C:\Windows\Installer\2aa07.msi
[2010/10/27 05:11:50 | 001,785,856 | ---- | M] () -- C:\Windows\Installer\2aa0d.msi
[2010/09/09 02:54:00 | 001,077,248 | ---- | M] () -- C:\Windows\Installer\2d8452c.msi
[2011/04/28 20:26:42 | 002,426,880 | R--- | M] () -- C:\Windows\Installer\2d9b89.msp
[2011/04/28 20:27:08 | 013,031,936 | R--- | M] () -- C:\Windows\Installer\2d9bb6.msp
[2011/04/28 20:26:42 | 003,994,624 | R--- | M] () -- C:\Windows\Installer\2d9bc6.msp
[2011/04/28 20:27:46 | 014,467,072 | R--- | M] () -- C:\Windows\Installer\2d9bd5.msp
[2011/04/28 20:33:30 | 425,345,024 | R--- | M] () -- C:\Windows\Installer\2d9d7f.msp
[2011/04/28 20:27:58 | 000,608,768 | R--- | M] () -- C:\Windows\Installer\2d9d85.msp
[2011/04/28 20:34:24 | 011,155,456 | R--- | M] () -- C:\Windows\Installer\2d9d97.msp
[2011/04/28 23:28:46 | 011,056,128 | R--- | M] () -- C:\Windows\Installer\2d9da9.msp
[2011/04/28 23:28:12 | 016,972,800 | R--- | M] () -- C:\Windows\Installer\2d9dbd.msp
[2013/12/18 18:07:20 | 008,145,408 | R--- | M] () -- C:\Windows\Installer\3012e56.msp
[2014/01/15 10:42:10 | 023,558,144 | R--- | M] () -- C:\Windows\Installer\3012e6d.msp
[2014/01/15 10:41:10 | 001,875,456 | R--- | M] () -- C:\Windows\Installer\3012e74.msp
[2013/12/18 18:08:10 | 100,647,424 | R--- | M] () -- C:\Windows\Installer\3012e8b.msp
[2013/12/18 18:07:08 | 018,188,288 | R--- | M] () -- C:\Windows\Installer\3012ea9.msp
[2013/11/09 22:20:28 | 007,577,600 | R--- | M] () -- C:\Windows\Installer\3012ec1.msp
[2013/10/31 19:35:20 | 026,079,232 | R--- | M] () -- C:\Windows\Installer\309cb1d.msp
[2013/12/18 18:14:04 | 017,809,408 | R--- | M] () -- C:\Windows\Installer\30c7d76.msp
[2013/12/18 18:07:20 | 002,656,256 | R--- | M] () -- C:\Windows\Installer\30c7da1.msp
[2013/12/18 18:07:16 | 009,454,592 | R--- | M] () -- C:\Windows\Installer\30c7db7.msp
[2012/07/04 07:59:50 | 000,261,120 | R--- | M] () -- C:\Windows\Installer\31f329.msp
[2011/04/19 04:54:14 | 000,227,328 | ---- | M] () -- C:\Windows\Installer\33a546c.msi
[2013/02/06 13:11:42 | 005,742,080 | R--- | M] () -- C:\Windows\Installer\348a440.msp
[2013/02/06 19:02:32 | 002,203,136 | R--- | M] () -- C:\Windows\Installer\348a456.msp
[2013/03/20 15:19:00 | 003,457,536 | R--- | M] () -- C:\Windows\Installer\348a46c.msp
[2009/07/22 00:01:04 | 000,251,904 | ---- | M] () -- C:\Windows\Installer\35764c.msi
[2010/11/11 12:54:28 | 001,310,720 | R--- | M] () -- C:\Windows\Installer\357668.msp
[2010/11/11 12:54:32 | 001,121,792 | R--- | M] () -- C:\Windows\Installer\357669.msp
[2010/11/11 12:54:36 | 001,002,496 | R--- | M] () -- C:\Windows\Installer\35766a.msp
[2011/02/16 01:40:48 | 003,460,608 | R--- | M] () -- C:\Windows\Installer\357680.msp
[2011/01/24 17:16:02 | 000,014,336 | R--- | M] () -- C:\Windows\Installer\357687.msp
[2010/11/11 12:52:30 | 013,486,592 | R--- | M] () -- C:\Windows\Installer\35769e.msp
[2010/07/22 18:28:50 | 000,287,232 | R--- | M] () -- C:\Windows\Installer\3576b4.msp
[2010/07/22 02:43:30 | 000,257,024 | R--- | M] () -- C:\Windows\Installer\3576df.msp
[2010/08/13 14:08:34 | 041,272,320 | R--- | M] () -- C:\Windows\Installer\3576f8.msp
[2008/09/30 21:07:10 | 006,042,112 | ---- | M] () -- C:\Windows\Installer\3576ff.msi
[2010/10/23 02:13:56 | 009,177,600 | R--- | M] () -- C:\Windows\Installer\357714.msp
[2010/08/05 17:41:28 | 001,502,208 | R--- | M] () -- C:\Windows\Installer\35772b.msp
[2010/08/05 17:41:32 | 000,126,976 | R--- | M] () -- C:\Windows\Installer\357732.msp
[2011/01/14 11:54:42 | 008,739,328 | R--- | M] () -- C:\Windows\Installer\357749.msp
[2013/01/02 18:24:40 | 003,460,096 | R--- | M] () -- C:\Windows\Installer\359216.msp
[2013/11/20 19:35:18 | 006,696,448 | R--- | M] () -- C:\Windows\Installer\367b939.msp
[2010/08/25 17:06:30 | 006,479,360 | R--- | M] () -- C:\Windows\Installer\367b942.msp
[2007/09/12 16:37:22 | 000,344,064 | R--- | M] () -- C:\Windows\Installer\367b94a.msp
[2011/05/17 18:28:52 | 006,862,848 | R--- | M] () -- C:\Windows\Installer\367b953.msp
[2012/12/12 10:40:24 | 006,141,440 | R--- | M] () -- C:\Windows\Installer\367b95c.msp
[2013/08/06 09:55:42 | 010,988,032 | R--- | M] () -- C:\Windows\Installer\367b965.msp
[2014/03/27 15:19:08 | 003,748,864 | R--- | M] () -- C:\Windows\Installer\367b96f.msp
[2011/05/24 16:27:26 | 000,060,928 | R--- | M] () -- C:\Windows\Installer\367b977.msp
[2011/04/17 09:18:32 | 035,232,256 | ---- | M] () -- C:\Windows\Installer\378c2c.msi
[2009/09/23 09:23:42 | 000,508,416 | ---- | M] () -- C:\Windows\Installer\378c31.msi
[2010/02/07 14:01:50 | 000,720,896 | ---- | M] () -- C:\Windows\Installer\378c36.msi
[2011/03/08 13:33:36 | 054,645,248 | R--- | M] () -- C:\Windows\Installer\3cf45.msp
[2009/07/15 14:56:20 | 004,832,076 | ---- | M] () -- C:\Windows\Installer\4147a4.msi
[2011/03/19 20:56:50 | 002,863,104 | ---- | M] () -- C:\Windows\Installer\425102.msi
[2011/03/19 20:56:50 | 000,650,240 | ---- | M] () -- C:\Windows\Installer\425108.msi
[2011/03/19 20:56:52 | 001,800,704 | ---- | M] () -- C:\Windows\Installer\42510e.msi
[2011/03/19 20:57:04 | 001,802,240 | ---- | M] () -- C:\Windows\Installer\425114.msi
[2011/03/19 20:57:06 | 001,804,800 | ---- | M] () -- C:\Windows\Installer\42511a.msi
[2011/03/19 20:57:06 | 002,115,584 | ---- | M] () -- C:\Windows\Installer\425120.msi
[2011/03/19 20:57:10 | 000,653,824 | ---- | M] () -- C:\Windows\Installer\425126.msi
[2011/03/19 20:57:09 | 000,650,240 | ---- | M] () -- C:\Windows\Installer\42512c.msi
[2011/03/19 20:57:15 | 000,663,040 | ---- | M] () -- C:\Windows\Installer\425132.msi
[2011/03/19 20:57:12 | 000,667,648 | ---- | M] () -- C:\Windows\Installer\425138.msi
[2011/03/19 20:57:10 | 000,656,896 | ---- | M] () -- C:\Windows\Installer\42513e.msi
[2011/03/19 20:57:10 | 000,650,240 | ---- | M] () -- C:\Windows\Installer\425144.msi
[2011/03/19 20:57:17 | 001,800,704 | ---- | M] () -- C:\Windows\Installer\42514a.msi
[2011/03/19 20:57:22 | 002,413,568 | ---- | M] () -- C:\Windows\Installer\425150.msi
[2011/03/19 20:57:23 | 001,813,504 | ---- | M] () -- C:\Windows\Installer\425157.msi
[2011/03/19 20:57:23 | 000,650,240 | ---- | M] () -- C:\Windows\Installer\42515d.msi
[2011/03/19 20:57:28 | 001,810,944 | ---- | M] () -- C:\Windows\Installer\425163.msi
[2011/03/19 20:57:29 | 001,819,648 | ---- | M] () -- C:\Windows\Installer\425169.msi
[2011/03/19 20:57:38 | 003,025,408 | ---- | M] () -- C:\Windows\Installer\425170.msi
[2011/03/19 20:57:40 | 025,146,368 | ---- | M] () -- C:\Windows\Installer\42517d.msi
[2009/07/21 00:29:14 | 006,057,984 | ---- | M] () -- C:\Windows\Installer\4337d.msi
[2013/05/25 09:34:49 | 027,610,624 | ---- | M] () -- C:\Windows\Installer\435624.msi
[2012/01/25 01:32:36 | 003,458,560 | R--- | M] () -- C:\Windows\Installer\464b4f.msp
[2012/01/05 06:21:26 | 004,964,864 | R--- | M] () -- C:\Windows\Installer\464b65.msp
[2011/11/18 18:52:34 | 009,183,232 | R--- | M] () -- C:\Windows\Installer\464b7b.msp
[2011/12/04 08:02:34 | 002,682,368 | ---- | M] () -- C:\Windows\Installer\46de4.msi
[2012/09/07 22:07:04 | 002,201,088 | R--- | M] () -- C:\Windows\Installer\50ea25.msp
[2012/07/19 02:45:14 | 043,188,224 | R--- | M] () -- C:\Windows\Installer\50ea3e.msp
[2012/07/27 19:11:14 | 005,743,616 | R--- | M] () -- C:\Windows\Installer\50ea55.msp
[2012/09/20 10:18:22 | 003,467,264 | R--- | M] () -- C:\Windows\Installer\50ea6b.msp
[2009/10/13 01:48:25 | 000,554,496 | ---- | M] () -- C:\Windows\Installer\52ef4.msi
[2009/10/13 01:39:43 | 000,310,784 | ---- | M] () -- C:\Windows\Installer\52ef9.msi
[2009/10/13 01:47:13 | 000,489,984 | ---- | M] () -- C:\Windows\Installer\52eff.msi
[2009/10/14 13:19:28 | 000,331,264 | ---- | M] () -- C:\Windows\Installer\52f04.msi
[2009/09/24 06:42:11 | 000,859,648 | ---- | M] () -- C:\Windows\Installer\52f09.msi
[2009/10/13 01:46:36 | 000,375,808 | ---- | M] () -- C:\Windows\Installer\52f18.msi
[2008/07/31 17:20:18 | 001,377,280 | ---- | M] () -- C:\Windows\Installer\5478ad.msi
[2014/06/25 22:13:39 | 000,919,552 | ---- | M] () -- C:\Windows\Installer\57fce.msi
[2014/06/25 22:16:27 | 000,159,232 | ---- | M] () -- C:\Windows\Installer\57fd3.msi
[2010/10/05 15:34:30 | 000,485,888 | ---- | M] () -- C:\Windows\Installer\59c83d.msi
[2012/09/24 19:19:10 | 017,270,784 | R--- | M] () -- C:\Windows\Installer\5de7e.msp
[2012/09/24 19:17:26 | 001,868,288 | R--- | M] () -- C:\Windows\Installer\5de87.msp
[2010/11/10 02:15:36 | 001,830,400 | R--- | M] () -- C:\Windows\Installer\5e4498.msp
[2010/11/10 01:23:40 | 001,139,712 | R--- | M] () -- C:\Windows\Installer\5e44a5.msp
[2010/11/10 04:58:48 | 005,870,080 | R--- | M] () -- C:\Windows\Installer\5e44bd.msp
[2010/11/09 22:15:02 | 000,113,664 | R--- | M] () -- C:\Windows\Installer\5e44fb.msp
[2010/11/10 03:22:32 | 005,514,240 | R--- | M] () -- C:\Windows\Installer\5e4510.msp
[2010/11/10 03:20:22 | 003,733,504 | R--- | M] () -- C:\Windows\Installer\5e451b.msp
[2010/11/10 03:16:22 | 003,314,688 | R--- | M] () -- C:\Windows\Installer\5e4539.msp
[2010/11/10 03:18:26 | 014,617,088 | R--- | M] () -- C:\Windows\Installer\5e4567.msp
[2010/11/10 02:15:38 | 000,136,704 | R--- | M] () -- C:\Windows\Installer\5e456e.msp
[2010/11/10 01:46:30 | 004,427,776 | R--- | M] () -- C:\Windows\Installer\5e457e.msp
[2010/11/10 02:20:38 | 002,932,736 | R--- | M] () -- C:\Windows\Installer\5e4593.msp
[2010/11/10 02:36:26 | 002,958,336 | R--- | M] () -- C:\Windows\Installer\5e45ae.msp
[2010/11/10 02:31:00 | 000,205,312 | R--- | M] () -- C:\Windows\Installer\5e45b8.msp
[2010/11/10 02:21:48 | 000,024,576 | R--- | M] () -- C:\Windows\Installer\5e45bf.msp
[2010/11/10 02:39:06 | 000,636,928 | R--- | M] () -- C:\Windows\Installer\5e45c6.msp
[2012/07/04 08:12:56 | 004,772,352 | R--- | M] () -- C:\Windows\Installer\5e573.msp
[2012/07/04 08:04:30 | 001,292,288 | R--- | M] () -- C:\Windows\Installer\5e57c.msp
[2012/07/19 02:45:30 | 003,464,704 | R--- | M] () -- C:\Windows\Installer\5e592.msp
[2012/09/24 12:47:27 | 002,385,920 | ---- | M] () -- C:\Windows\Installer\66f545.msi
[2014/05/09 01:25:26 | 043,950,080 | R--- | M] () -- C:\Windows\Installer\66f546.msp
[2013/01/14 20:39:50 | 000,179,200 | ---- | M] () -- C:\Windows\Installer\67602f.msi
[2014/05/24 11:42:09 | 023,780,352 | R--- | M] () -- C:\Windows\Installer\6b1931.msp
[2012/08/29 22:39:12 | 003,463,680 | R--- | M] () -- C:\Windows\Installer\6c13e4.msp
[2013/05/13 15:35:56 | 002,043,904 | ---- | M] () -- C:\Windows\Installer\6faff5.msi
[2013/11/15 11:43:12 | 010,534,400 | R--- | M] () -- C:\Windows\Installer\7122c9.msp
[2013/11/15 11:43:10 | 013,272,576 | R--- | M] () -- C:\Windows\Installer\7122d6.msp
[2013/11/15 11:43:26 | 010,417,152 | R--- | M] () -- C:\Windows\Installer\7122e3.msp
[2013/11/15 11:50:02 | 003,460,608 | R--- | M] () -- C:\Windows\Installer\7122f9.msp
[2013/11/15 11:40:54 | 071,422,464 | R--- | M] () -- C:\Windows\Installer\712311.msp
[2013/10/25 17:42:58 | 001,649,664 | R--- | M] () -- C:\Windows\Installer\712327.msp
[2011/08/01 15:59:06 | 002,081,792 | ---- | M] () -- C:\Windows\Installer\740cc3.msi
[2011/12/12 16:13:06 | 003,461,120 | R--- | M] () -- C:\Windows\Installer\7968e6.msp
[2010/01/30 17:41:13 | 000,471,040 | ---- | M] () -- C:\Windows\Installer\79e26.msi
[2009/11/18 20:45:15 | 000,501,248 | ---- | M] () -- C:\Windows\Installer\79e41.msi
[2010/06/18 11:13:18 | 000,291,328 | ---- | M] () -- C:\Windows\Installer\79e53.msi
[2010/06/18 10:11:08 | 000,387,584 | ---- | M] () -- C:\Windows\Installer\79e58.msi
[2010/01/30 13:03:03 | 000,395,264 | ---- | M] () -- C:\Windows\Installer\79e69.msi
[2009/11/18 17:29:29 | 000,944,640 | ---- | M] () -- C:\Windows\Installer\79e78.msi
[2010/06/18 19:18:49 | 000,641,536 | ---- | M] () -- C:\Windows\Installer\79e81.msi
[2014/06/03 21:58:42 | 072,224,768 | ---- | M] () -- C:\Windows\Installer\7c839c.msi
[2013/10/16 03:02:12 | 000,466,432 | R--- | M] () -- C:\Windows\Installer\7c917c.msp
[2013/09/06 23:07:02 | 011,534,336 | R--- | M] () -- C:\Windows\Installer\7c9192.msp
[2013/10/16 03:03:10 | 001,566,720 | R--- | M] () -- C:\Windows\Installer\7c9199.msp
[2013/10/16 03:03:28 | 007,304,192 | R--- | M] () -- C:\Windows\Installer\7c919f.msp
[2013/10/16 03:03:12 | 010,568,192 | R--- | M] () -- C:\Windows\Installer\7c91ad.msp
[2013/09/06 23:07:14 | 002,347,008 | R--- | M] () -- C:\Windows\Installer\7c91c3.msp
[2013/10/16 03:01:18 | 003,461,120 | R--- | M] () -- C:\Windows\Installer\7c91e0.msp
[2013/10/16 03:02:00 | 023,549,440 | R--- | M] () -- C:\Windows\Installer\7c920a.msp
[2013/07/10 22:26:53 | 053,242,368 | R--- | M] () -- C:\Windows\Installer\807464.msp
[2013/05/29 06:52:30 | 001,885,184 | R--- | M] () -- C:\Windows\Installer\8074a4.msp
[2014/02/25 19:30:27 | 024,993,792 | ---- | M] () -- C:\Windows\Installer\80d523.msi
[2012/12/08 12:42:28 | 018,014,720 | R--- | M] () -- C:\Windows\Installer\81ad7a.msp
[2012/12/14 03:24:14 | 002,523,648 | R--- | M] () -- C:\Windows\Installer\81ad90.msp
[2012/12/14 03:12:32 | 006,737,408 | R--- | M] () -- C:\Windows\Installer\81ad97.msp
[2012/12/08 12:42:44 | 054,690,304 | R--- | M] () -- C:\Windows\Installer\81adb6.msp
[2013/01/16 21:58:22 | 003,463,168 | R--- | M] () -- C:\Windows\Installer\81adcc.msp
[2013/02/14 09:58:46 | 005,850,624 | R--- | M] () -- C:\Windows\Installer\8418c4.msp
[2013/03/13 23:40:41 | 053,209,600 | R--- | M] () -- C:\Windows\Installer\8418dd.msp
[2013/01/17 09:24:38 | 000,415,232 | R--- | M] () -- C:\Windows\Installer\8418f2.msp
[2013/02/14 09:58:22 | 003,461,632 | R--- | M] () -- C:\Windows\Installer\841908.msp
[2013/01/11 02:45:32 | 003,481,600 | R--- | M] () -- C:\Windows\Installer\84191d.msp
[2013/02/14 09:58:50 | 013,279,744 | R--- | M] () -- C:\Windows\Installer\841924.msp
[2012/12/08 12:45:18 | 004,770,816 | R--- | M] () -- C:\Windows\Installer\84193a.msp
[2013/01/11 02:46:12 | 012,504,064 | R--- | M] () -- C:\Windows\Installer\841953.msp
[2007/05/17 20:17:38 | 000,886,272 | ---- | M] () -- C:\Windows\Installer\8ad34b.msi
[2007/07/31 21:29:18 | 012,836,864 | R--- | M] () -- C:\Windows\Installer\8ad361.msp
[2009/05/22 12:21:38 | 000,822,272 | ---- | M] () -- C:\Windows\Installer\8c525.msi
[2009/05/22 12:05:56 | 000,470,016 | ---- | M] () -- C:\Windows\Installer\8c52a.msi
[2009/05/22 10:58:18 | 000,765,440 | ---- | M] () -- C:\Windows\Installer\8c52f.msi
[2009/09/24 14:12:05 | 000,678,912 | ---- | M] () -- C:\Windows\Installer\8c536.msi
[2009/09/24 14:28:32 | 000,585,216 | ---- | M] () -- C:\Windows\Installer\8c53b.msi
[2009/09/24 06:36:36 | 000,459,264 | ---- | M] () -- C:\Windows\Installer\8c540.msi
[2009/09/24 11:31:58 | 000,751,616 | ---- | M] () -- C:\Windows\Installer\8c558.msi
[2009/09/24 14:42:29 | 000,692,736 | ---- | M] () -- C:\Windows\Installer\8c55f.msi
[2012/09/20 10:18:36 | 043,984,896 | R--- | M] () -- C:\Windows\Installer\8ef417.msp
[2012/10/24 23:42:00 | 003,460,096 | R--- | M] () -- C:\Windows\Installer\8ef443.msp
[2012/09/20 10:18:10 | 005,973,504 | R--- | M] () -- C:\Windows\Installer\8ef459.msp
[2012/10/03 15:45:26 | 012,114,432 | R--- | M] () -- C:\Windows\Installer\8ef48b.msp
[2012/09/20 10:18:14 | 018,148,864 | R--- | M] () -- C:\Windows\Installer\8ef4ac.msp
[2011/05/06 21:22:31 | 000,028,160 | ---- | M] () -- C:\Windows\Installer\962c18.msi
[2012/12/15 05:58:53 | 047,987,200 | ---- | M] () -- C:\Windows\Installer\9708d.msi
[2011/07/21 12:51:52 | 009,623,040 | R--- | M] () -- C:\Windows\Installer\9ae17f.msp
[2011/03/08 13:33:36 | 054,645,248 | R--- | M] () -- C:\Windows\Installer\9dd1a.msp
[2011/02/11 08:59:10 | 023,633,408 | R--- | M] () -- C:\Windows\Installer\9dd2d.msp
[2014/06/19 20:05:10 | 011,055,104 | ---- | M] () -- C:\Windows\Installer\a3949.msi
[2014/06/19 17:28:54 | 011,886,592 | ---- | M] () -- C:\Windows\Installer\a398c.msi
[2014/06/19 20:03:30 | 000,045,056 | ---- | M] () -- C:\Windows\Installer\a399f.msi
[2013/01/29 20:16:31 | 048,814,592 | ---- | M] () -- C:\Windows\Installer\a55109.msi
[2011/01/08 01:12:45 | 001,275,904 | ---- | M] () -- C:\Windows\Installer\a5f4c.msi
[2012/07/04 07:58:24 | 006,163,456 | R--- | M] () -- C:\Windows\Installer\a987ed.msp
[2012/07/04 08:01:26 | 009,082,368 | R--- | M] () -- C:\Windows\Installer\a9880a.msp
[2012/07/04 08:09:58 | 001,284,096 | R--- | M] () -- C:\Windows\Installer\a98820.msp
[2011/04/16 08:44:26 | 002,770,944 | ---- | M] () -- C:\Windows\Installer\a9a1e.msi
[2011/03/17 19:15:32 | 044,327,424 | R--- | M] () -- C:\Windows\Installer\a9a52.msp
[2011/03/17 18:19:44 | 000,304,128 | R--- | M] () -- C:\Windows\Installer\a9a63.msp
[2011/03/17 19:20:22 | 001,961,984 | R--- | M] () -- C:\Windows\Installer\a9a79.msp
[2011/10/28 16:33:12 | 001,376,768 | ---- | M] () -- C:\Windows\Installer\ae7c97.msi
[2011/09/30 13:32:58 | 003,411,456 | ---- | M] () -- C:\Windows\Installer\ae7c9c.msi
[2011/01/11 06:03:16 | 002,761,728 | ---- | M] () -- C:\Windows\Installer\b206f.msi
[2008/07/30 20:28:38 | 000,233,984 | ---- | M] () -- C:\Windows\Installer\b2074.msi
[2014/01/15 10:26:12 | 009,456,640 | R--- | M] () -- C:\Windows\Installer\b562df.msp
[2014/03/14 21:42:27 | 053,303,296 | R--- | M] () -- C:\Windows\Installer\b562ee.msp
[2011/08/21 23:18:54 | 001,585,152 | R--- | M] () -- C:\Windows\Installer\b7be7.msp
[2011/08/21 23:19:26 | 000,133,120 | R--- | M] () -- C:\Windows\Installer\b7bed.msp
[2011/07/21 12:41:08 | 008,413,696 | R--- | M] () -- C:\Windows\Installer\b7c03.msp
[2011/08/15 23:56:36 | 003,460,096 | R--- | M] () -- C:\Windows\Installer\b7c19.msp
[2011/07/21 12:45:00 | 003,809,792 | R--- | M] () -- C:\Windows\Installer\b7c2f.msp
[2011/06/19 23:28:52 | 018,457,088 | R--- | M] () -- C:\Windows\Installer\b7c46.msp
[2011/07/21 12:34:34 | 003,456,000 | R--- | M] () -- C:\Windows\Installer\b7c65.msp
[2011/07/21 12:36:40 | 066,808,320 | R--- | M] () -- C:\Windows\Installer\b7c7c.msp
[2011/06/19 23:33:20 | 000,407,552 | R--- | M] () -- C:\Windows\Installer\b7c92.msp
[2011/07/21 12:43:06 | 000,027,648 | R--- | M] () -- C:\Windows\Installer\b7ca7.msp
[2013/10/13 12:10:51 | 286,066,176 | ---- | M] () -- C:\Windows\Installer\b8819a.msi
[2011/10/22 15:21:04 | 021,515,264 | R--- | M] () -- C:\Windows\Installer\bd883.msp
[2011/10/26 22:46:00 | 011,580,928 | R--- | M] () -- C:\Windows\Installer\bd899.msp
[2011/10/26 22:51:34 | 016,885,760 | R--- | M] () -- C:\Windows\Installer\bd8b6.msp
[2011/10/26 22:51:46 | 000,592,896 | R--- | M] () -- C:\Windows\Installer\bd8c4.msp
[2011/10/26 23:23:36 | 000,925,696 | R--- | M] () -- C:\Windows\Installer\bd8cc.msp
[2011/10/26 23:23:32 | 008,821,760 | R--- | M] () -- C:\Windows\Installer\bd8e2.msp
[2011/10/26 22:45:26 | 009,177,600 | R--- | M] () -- C:\Windows\Installer\bd8fa.msp
[2011/10/22 15:21:00 | 003,463,168 | R--- | M] () -- C:\Windows\Installer\bd917.msp
[2014/04/17 16:14:20 | 003,668,992 | R--- | M] () -- C:\Windows\Installer\bdcb04.msp
[2014/04/02 03:26:28 | 010,539,520 | R--- | M] () -- C:\Windows\Installer\bdcb0b.msp
[2014/04/17 16:09:20 | 001,133,568 | R--- | M] () -- C:\Windows\Installer\bdcb21.msp
[2014/04/22 16:01:06 | 004,956,160 | R--- | M] () -- C:\Windows\Installer\bdcb38.msp
[2014/04/22 16:01:34 | 019,895,296 | R--- | M] () -- C:\Windows\Installer\bdcb4d.msp
[2014/04/02 02:54:52 | 003,246,592 | R--- | M] () -- C:\Windows\Installer\bdcb63.msp
[2014/04/22 16:00:46 | 006,168,064 | R--- | M] () -- C:\Windows\Installer\bdcb78.msp
[2014/04/29 02:45:12 | 003,460,096 | R--- | M] () -- C:\Windows\Installer\bdcb95.msp
[2008/10/25 03:18:18 | 002,692,608 | ---- | M] () -- C:\Windows\Installer\c1f27.msi
[2014/03/13 11:33:40 | 003,464,192 | R--- | M] () -- C:\Windows\Installer\c9e2d7.msp
[2014/02/28 08:17:30 | 019,915,776 | R--- | M] () -- C:\Windows\Installer\c9e2ec.msp
[2014/03/19 10:20:24 | 071,421,952 | R--- | M] () -- C:\Windows\Installer\c9e305.msp
[2014/03/25 06:00:08 | 000,747,520 | R--- | M] () -- C:\Windows\Installer\c9e30c.msp
[2014/03/25 06:00:30 | 100,648,448 | R--- | M] () -- C:\Windows\Installer\c9e323.msp
[2012/04/11 04:55:34 | 000,041,472 | ---- | M] () -- C:\Windows\Installer\cc033.msi
[2012/05/10 17:01:24 | 053,217,792 | R--- | M] () -- C:\Windows\Installer\cc03a.msp
[2012/07/30 19:40:43 | 000,848,384 | ---- | M] () -- C:\Windows\Installer\cd4d8.msi
[2013/09/16 14:15:44 | 003,814,912 | R--- | M] () -- C:\Windows\Installer\cd9673.msp
[2013/09/16 14:14:56 | 066,471,424 | R--- | M] () -- C:\Windows\Installer\cd9699.msp
[2013/09/16 14:15:32 | 008,407,552 | R--- | M] () -- C:\Windows\Installer\cd96af.msp
[2013/10/10 22:02:34 | 053,242,880 | R--- | M] () -- C:\Windows\Installer\cd96be.msp
[2013/09/12 18:07:34 | 009,443,840 | R--- | M] () -- C:\Windows\Installer\cd96d3.msp
[2013/09/16 14:18:08 | 071,412,224 | R--- | M] () -- C:\Windows\Installer\cd96ec.msp
[2013/09/16 14:15:34 | 003,464,192 | R--- | M] () -- C:\Windows\Installer\cd9702.msp
[2010/01/16 06:57:52 | 000,327,680 | ---- | M] () -- C:\Windows\Installer\cf05.msi
[2012/07/18 22:29:20 | 039,543,296 | ---- | M] () -- C:\Windows\Installer\cf0e7.msi
[2010/10/12 07:26:02 | 002,667,520 | ---- | M] () -- C:\Windows\Installer\cf10.msi
[2010/04/07 08:02:36 | 004,766,720 | ---- | M] () -- C:\Windows\Installer\cf43.msi
[2010/03/25 19:19:34 | 046,602,240 | ---- | M] () -- C:\Windows\Installer\cf4f.msi
[2014/05/04 22:53:52 | 072,777,728 | ---- | M] () -- C:\Windows\Installer\d1421.msi
[2013/07/24 08:07:24 | 031,627,776 | R--- | M] () -- C:\Windows\Installer\d599f7.msp
[2013/07/24 08:22:56 | 008,391,680 | R--- | M] () -- C:\Windows\Installer\d59a0d.msp
[2013/07/24 08:28:50 | 003,137,536 | R--- | M] () -- C:\Windows\Installer\d59a23.msp
[2013/07/24 08:10:48 | 063,476,736 | R--- | M] () -- C:\Windows\Installer\d59a3b.msp
[2013/08/14 02:45:24 | 071,415,296 | R--- | M] () -- C:\Windows\Installer\d59a54.msp
[2013/08/14 02:35:38 | 009,452,544 | R--- | M] () -- C:\Windows\Installer\d59a6a.msp
[2013/07/24 08:07:50 | 003,693,056 | R--- | M] () -- C:\Windows\Installer\d59a81.msp
[2013/07/24 08:34:12 | 023,167,488 | R--- | M] () -- C:\Windows\Installer\d59aa1.msp
[2013/07/24 10:02:40 | 000,748,032 | R--- | M] () -- C:\Windows\Installer\d59aa8.msp
[2013/07/24 10:03:04 | 092,986,880 | R--- | M] () -- C:\Windows\Installer\d59abf.msp
[2013/07/24 08:22:58 | 003,804,160 | R--- | M] () -- C:\Windows\Installer\d59ad5.msp
[2013/07/24 08:21:48 | 001,097,728 | R--- | M] () -- C:\Windows\Installer\d59aeb.msp
[2013/07/24 08:12:50 | 006,168,064 | R--- | M] () -- C:\Windows\Installer\d59b01.msp
[2013/08/14 02:38:28 | 017,805,312 | R--- | M] () -- C:\Windows\Installer\d59b2a.msp
[2013/08/14 02:37:10 | 000,390,144 | R--- | M] () -- C:\Windows\Installer\d59b47.msp
[2013/08/29 10:59:06 | 003,465,728 | R--- | M] () -- C:\Windows\Installer\d59b5c.msp
[2013/07/24 08:09:22 | 008,138,240 | R--- | M] () -- C:\Windows\Installer\d59b73.msp
[2013/07/24 08:41:24 | 004,946,432 | R--- | M] () -- C:\Windows\Installer\d59b91.msp
[2014/01/31 16:19:26 | 006,185,472 | R--- | M] () -- C:\Windows\Installer\df3885.msp
[2014/01/31 17:42:38 | 010,539,520 | R--- | M] () -- C:\Windows\Installer\df3899.msp
[2014/01/31 16:24:44 | 019,913,728 | R--- | M] () -- C:\Windows\Installer\df38ae.msp
[2012/10/30 05:42:14 | 000,163,840 | ---- | M] () -- C:\Windows\Installer\e14787.msi
[2012/10/30 05:42:14 | 004,028,928 | R--- | M] () -- C:\Windows\Installer\e14788.msp
[2012/10/30 05:42:14 | 000,177,664 | ---- | M] () -- C:\Windows\Installer\e147a5.msi
[2012/10/30 05:42:14 | 004,637,184 | R--- | M] () -- C:\Windows\Installer\e147a6.msp
[2013/10/25 18:00:00 | 046,393,856 | ---- | M] () -- C:\Windows\Installer\f230f2.msi
[2011/08/03 20:53:25 | 002,323,456 | ---- | M] () -- C:\Windows\Installer\f649a.msi
[2010/03/25 15:55:24 | 000,000,018 | ---- | M] () -- C:\Windows\Installer\verfile.tic
[2013/09/28 20:21:45 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}.SchedServiceConfig.rmi
[2013/04/11 07:48:26 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{2F72F540-1F60-4266-9506-952B21D6640D}.SchedServiceConfig.rmi
[2011/06/18 09:41:35 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{439760BC-7737-4386-9B1D-A90A3E8A22EA}.SchedServiceConfig.rmi
[2012/06/30 10:10:10 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}.SchedServiceConfig.rmi
[2012/09/16 10:18:04 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}.SchedServiceConfig.rmi
[2011/12/04 08:04:35 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{75104836-CAC7-444E-A39E-3F54151942F5}.SchedServiceConfig.rmi
[2014/03/01 08:46:09 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{787136D2-F0F8-4625-AA3F-72D7795AC842}.SchedServiceConfig.rmi
[2011/03/19 22:24:07 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{8F473675-D702-45F9-8EBC-342B40C17BF5}.SchedServiceConfig.rmi
[2012/03/13 19:49:20 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{B8AD779A-82DA-4365-A7D0-AD3DCFC55CFF}.SchedServiceConfig.rmi
[2013/01/13 10:27:26 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{D70884EA-E2CE-4539-91DB-4766CC1E5F5F}.SchedServiceConfig.rmi
[2011/01/21 22:19:35 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}.SchedServiceConfig.rmi
[2014/01/25 10:10:06 | 000,000,000 | ---- | M] () -- C:\Windows\Installer\wix{FE86CB0C-FCB3-4358-B4B0-B0A41E33B3DD}.SchedServiceConfig.rmi
[99 C:\Windows\Installer\*.tmp files -> C:\Windows\Installer\*.tmp -> ]

< %windir%\system32\tasks\*.* >

< %windir%\system32\tasks\*.* /64 >
[2014/05/14 23:48:01 | 000,003,768 | ---- | M] () -- C:\Windows\SysNative\tasks\Adobe Flash Player Updater
[2014/06/21 12:31:08 | 000,003,092 | ---- | M] () -- C:\Windows\SysNative\tasks\ASC7_PerformanceMonitor
[2014/06/21 12:30:43 | 000,002,852 | ---- | M] () -- C:\Windows\SysNative\tasks\ASC7_SkipUac_Carl
[2014/01/19 11:07:35 | 000,002,770 | ---- | M] () -- C:\Windows\SysNative\tasks\CCleanerSkipUAC
[2011/03/19 20:37:06 | 000,003,990 | ---- | M] () -- C:\Windows\SysNative\tasks\Go to RoboForm Install page
[2014/06/25 17:16:07 | 000,003,642 | ---- | M] () -- C:\Windows\SysNative\tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55
[2014/06/25 17:16:10 | 000,003,894 | ---- | M] () -- C:\Windows\SysNative\tasks\GoogleUpdateTaskMachineUA1cf904db8563a05
[2012/08/02 19:51:37 | 000,003,188 | ---- | M] () -- C:\Windows\SysNative\tasks\Installation App Launcher
[2014/06/25 22:26:31 | 000,004,986 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft Office 15 Sync Maintenance for DellNotebook-Carl DellNotebook
[2012/12/18 07:50:21 | 000,003,056 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_Hardware_Launch_devicecenter_exe
[2013/07/17 20:36:42 | 000,003,092 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_Hardware_Launch_ipoint_exe
[2013/07/17 20:36:41 | 000,003,090 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_Hardware_Launch_itype_exe
[2013/07/17 20:36:43 | 000,003,118 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
[2012/10/01 20:05:31 | 000,002,978 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_Hardware_Launch_rundll32_exe
[2013/07/17 20:36:37 | 000,003,062 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_MKC_Logon_Task_ipoint.exe
[2013/07/17 20:36:36 | 000,003,060 | ---- | M] () -- C:\Windows\SysNative\tasks\Microsoft_MKC_Logon_Task_itype.exe
[2014/05/25 19:24:16 | 000,004,114 | ---- | M] () -- C:\Windows\SysNative\tasks\Open URL by RoboForm
[2013/06/30 16:57:45 | 000,003,128 | ---- | M] () -- C:\Windows\SysNative\tasks\ParetoLogic Registration3
[2013/06/30 16:57:32 | 000,003,402 | ---- | M] () -- C:\Windows\SysNative\tasks\Privacy Controls_{B6102F2F-E15A-11E2-8848-F04DA267B03D}
[2011/05/28 19:40:01 | 000,003,210 | ---- | M] () -- C:\Windows\SysNative\tasks\RealUpgradeLogonTaskS-1-5-21-1817415294-4033379586-1234686743-1000
[2011/05/28 19:39:56 | 000,003,346 | ---- | M] () -- C:\Windows\SysNative\tasks\RealUpgradeScheduledTaskS-1-5-21-1817415294-4033379586-1234686743-1000
[2011/11/27 08:17:26 | 000,003,496 | ---- | M] () -- C:\Windows\SysNative\tasks\Run RoboForm Process
[2014/05/25 19:24:15 | 000,003,498 | ---- | M] () -- C:\Windows\SysNative\tasks\Run RoboForm TaskBar Icon
[2011/12/04 11:19:59 | 000,002,418 | ---- | M] () -- C:\Windows\SysNative\tasks\Spybot - Search & Destroy - Scheduled Task
[2011/12/04 11:19:15 | 000,002,422 | ---- | M] () -- C:\Windows\SysNative\tasks\Spybot - Search & Destroy Updater - Scheduled Task
[2013/08/28 17:20:54 | 000,004,032 | ---- | M] () -- C:\Windows\SysNative\tasks\SpywareBlaster AutoUpdate
[2013/07/04 11:17:19 | 000,002,614 | ---- | M] () -- C:\Windows\SysNative\tasks\Start Driver Reviver for [email protected](logon)
[2014/05/10 19:13:29 | 000,002,618 | ---- | M] () -- C:\Windows\SysNative\tasks\Start Registry Reviver for [email protected](logon)
[2013/04/10 08:37:51 | 000,003,588 | ---- | M] () -- C:\Windows\SysNative\tasks\SUPERAntiSpyware Scheduled Task 89d96e21-0900-4f2a-9d96-c2751ce3503a
[2013/04/10 08:37:51 | 000,003,514 | ---- | M] () -- C:\Windows\SysNative\tasks\SUPERAntiSpyware Scheduled Task b28be43d-0e44-486f-8b61-f2e15d77c340
[2014/06/21 12:31:00 | 000,002,884 | ---- | M] () -- C:\Windows\SysNative\tasks\Uninstaller_SkipUac_Administrator
[2012/11/18 11:47:00 | 000,002,970 | ---- | M] () -- C:\Windows\SysNative\tasks\{0267CD9A-2EE3-4FF8-AB57-1D1DE57B014F}
[2011/03/23 08:58:15 | 000,003,298 | ---- | M] () -- C:\Windows\SysNative\tasks\{133921E2-2021-4B45-8F53-90BD3987A7B9}
[2013/12/28 18:09:58 | 000,003,276 | ---- | M] () -- C:\Windows\SysNative\tasks\{153E0C11-AB59-4403-A009-C84D5BC3296D}
[2011/05/07 10:53:07 | 000,003,012 | ---- | M] () -- C:\Windows\SysNative\tasks\{271A9AA8-2C75-4F2C-9052-5597FB25E7B5}
[2012/07/27 20:30:11 | 000,003,200 | ---- | M] () -- C:\Windows\SysNative\tasks\{378D9E73-23D0-42F8-A7D1-645D978E8C33}
[2011/05/03 21:00:52 | 000,003,012 | ---- | M] () -- C:\Windows\SysNative\tasks\{38D3AC7C-20C2-4AE9-BED7-3A45570C6259}
[2013/09/29 11:07:56 | 000,003,266 | ---- | M] () -- C:\Windows\SysNative\tasks\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8}
[2011/03/27 19:28:24 | 000,003,200 | ---- | M] () -- C:\Windows\SysNative\tasks\{6ACD8BB2-F9CD-44D0-A4A7-B1E2F26AE0BF}
[2011/05/07 10:53:07 | 000,003,012 | ---- | M] () -- C:\Windows\SysNative\tasks\{72E857CF-7393-4941-8587-00798EC27D64}
[2012/11/18 11:45:19 | 000,002,970 | ---- | M] () -- C:\Windows\SysNative\tasks\{7AD110DA-341A-4DBE-BDF3-9AEE42414B7B}
[2012/11/18 11:47:24 | 000,002,970 | ---- | M] () -- C:\Windows\SysNative\tasks\{80BC2314-73C6-4E2C-B4B4-4F6CBF187835}
[2011/10/09 19:38:00 | 000,003,138 | ---- | M] () -- C:\Windows\SysNative\tasks\{87807F17-6F61-4AC5-AE01-5BF05D7083C6}
[2012/11/18 11:45:48 | 000,002,970 | ---- | M] () -- C:\Windows\SysNative\tasks\{918D5FBF-014E-4809-BA84-A238F18A392E}
[2011/05/03 21:00:44 | 000,003,012 | ---- | M] () -- C:\Windows\SysNative\tasks\{A910FFBD-B08A-4594-A1E5-399A702FCC3B}
[2011/05/06 19:17:51 | 000,003,280 | ---- | M] () -- C:\Windows\SysNative\tasks\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9}
[2012/09/03 19:31:23 | 000,003,124 | ---- | M] () -- C:\Windows\SysNative\tasks\{B3921F06-F64C-4E56-892D-7D6EF43CF2BB}
[2013/12/28 18:05:00 | 000,003,156 | ---- | M] () -- C:\Windows\SysNative\tasks\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609}
[2012/11/18 11:46:32 | 000,002,970 | ---- | M] () -- C:\Windows\SysNative\tasks\{D89F63B8-51E8-4C59-9229-317F503BA789}
[2011/04/03 09:44:57 | 000,003,134 | ---- | M] () -- C:\Windows\SysNative\tasks\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1}
[2012/07/28 08:15:26 | 000,003,148 | ---- | M] () -- C:\Windows\SysNative\tasks\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD}
[2012/01/08 13:03:12 | 000,003,282 | ---- | M] () -- C:\Windows\SysNative\tasks\{FC711627-AC4C-4C2E-B888-A81CB9874A26}


----------



## referee07 (Sep 11, 2003)

OTL Log Results Post #4:

< %systemroot%\Fonts\*.exe >

< %systemroot%\*. /mp /s >

< MD5 for: ATAPI.SYS >
[2009/07/14 10:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
[2009/07/14 10:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_552ea5111ec825a6\atapi.sys
[2009/07/14 10:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\atapi.sys
[2009/07/14 10:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.17514_none_3b5e2d89382958dd\atapi.sys
[2009/07/14 10:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.18231_none_3b457059383c66e6\atapi.sys
[2009/07/14 10:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7601.22414_none_3be7afc0514717fa\atapi.sys

< MD5 for: CSRSS.EXE >
[2009/07/14 10:39:02 | 000,007,680 | ---- | M] (Microsoft Corporation) MD5=60C2862B4BF0FD9F582EF344C2B1EC72 -- C:\Windows\SysNative\csrss.exe
[2009/07/14 10:39:02 | 000,007,680 | ---- | M] (Microsoft Corporation) MD5=60C2862B4BF0FD9F582EF344C2B1EC72 -- C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe

< MD5 for: EXPLORER.EXE >
[2013/05/16 10:58:12 | 003,859,928 | ---- | M] (Safer-Networking Ltd.) MD5=03250DB0886A23B1F6C077C5D9F152B0 -- C:\Program Files (x86)\Spybot - Search & Destroy 2\explorer.exe
[2011/02/26 14:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_ba87e574ddfe652d\explorer.exe
[2011/02/25 15:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\explorer.exe
[2011/02/25 15:19:30 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=332FEAB1435662FC6C672E25BEB37BE3 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_afa79dc39081d0ba\explorer.exe
[2011/02/26 15:14:34 | 002,871,808 | ---- | M] (Microsoft Corporation) MD5=3B69712041F3D63605529BD66DC00C48 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_b0333b22a99da332\explorer.exe
[2010/11/20 21:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe
[2011/02/25 14:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\SysWOW64\explorer.exe
[2011/02/25 14:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_b9fc4815c4e292b5\explorer.exe
[2010/11/20 22:24:45 | 002,872,320 | ---- | M] (Microsoft Corporation) MD5=AC4C51EB24AA95B77F705AB159189E24 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe

< MD5 for: MSWSOCK.DLL >
[2010/11/20 22:27:10 | 000,326,144 | ---- | M] (Microsoft Corporation) MD5=1D5185A4C7E6695431AE4B55C3D7D333 -- C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_16795c7543eb48cf\mswsock.dll
[2013/09/07 11:04:16 | 000,231,424 | ---- | M] (Microsoft Corporation) MD5=6547D445C4B69DC0083B619AC642DF04 -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.22444_none_bac3d364a4c3ea89\mswsock.dll
[2010/11/20 21:19:56 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=8999B8631C7FD9F7F9EC3CAFD953BA24 -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.17514_none_ba5ac0f18b8dd799\mswsock.dll
[2013/09/08 11:27:14 | 000,327,168 | ---- | M] (Microsoft Corporation) MD5=9A9F9F1A77D6A80EE28B57664F00013E -- C:\Windows\SysNative\mswsock.dll
[2013/09/08 11:27:14 | 000,327,168 | ---- | M] (Microsoft Corporation) MD5=9A9F9F1A77D6A80EE28B57664F00013E -- C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.18254_none_164e004b440bdabf\mswsock.dll
[2013/09/07 11:24:39 | 000,327,168 | ---- | M] (Microsoft Corporation) MD5=BDDB1FD258B92DEE00F222D3304B5D9C -- C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.22444_none_16e26ee85d215bbf\mswsock.dll
[2013/09/08 11:03:58 | 000,231,424 | ---- | M] (Microsoft Corporation) MD5=E94C583CDE2348950155F2AF2876F34D -- C:\Windows\SysWOW64\mswsock.dll
[2013/09/08 11:03:58 | 000,231,424 | ---- | M] (Microsoft Corporation) MD5=E94C583CDE2348950155F2AF2876F34D -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7601.18254_none_ba2f64c78bae6989\mswsock.dll

< MD5 for: NAPINSP.DLL >
[2009/07/14 10:16:02 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0B7E85364CB878E2AD531DB7B601A9E5 -- C:\Windows\SysWOW64\NapiNSP.dll
[2009/07/14 10:16:02 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0B7E85364CB878E2AD531DB7B601A9E5 -- C:\Windows\winsxs\x86_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_abf396ebf0847c31\NapiNSP.dll
[2009/07/14 10:41:52 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=58A0CDABEA255616827B1C22C9994466 -- C:\Windows\SysNative\NapiNSP.dll
[2009/07/14 10:41:52 | 000,068,096 | ---- | M] (Microsoft Corporation) MD5=58A0CDABEA255616827B1C22C9994466 -- C:\Windows\winsxs\amd64_microsoft-windows-n..ider-infrastructure_31bf3856ad364e35_6.1.7600.16385_none_0812326fa8e1ed67\NapiNSP.dll

< MD5 for: NLAAPI.DLL >
[2012/01/13 16:12:03 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0BA65122FFA7E37564EE86422DBF7AE8 -- C:\Windows\SysWOW64\nlaapi.dll
[2012/01/13 16:12:03 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=0BA65122FFA7E37564EE86422DBF7AE8 -- C:\Windows\winsxs\wow64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.17964_none_cfca9d84561311f2\nlaapi.dll
[2010/11/20 21:20:30 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=104A1070E90F1C530328E69B49718841 -- C:\Windows\winsxs\wow64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.17514_none_d000a58855ea91a1\nlaapi.dll
[2012/10/04 01:29:27 | 000,052,224 | ---- | M] (Microsoft Corporation) MD5=11B8C7970C10650827D060AA81BEE63F -- C:\Windows\winsxs\wow64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.22124_none_d07f52216f10753a\nlaapi.dll
[2010/11/20 22:27:22 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=2DF36F15B2BC1571A6A542A3C2107920 -- C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.17514_none_c5abfb362189cfa6\nlaapi.dll
[2012/10/04 02:44:21 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=46BB91A169B9B31FF44EB04C48EC1D41 -- C:\Windows\SysNative\nlaapi.dll
[2012/10/04 02:44:21 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=46BB91A169B9B31FF44EB04C48EC1D41 -- C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.17964_none_c575f33221b24ff7\nlaapi.dll
[2012/10/04 02:32:48 | 000,070,656 | ---- | M] (Microsoft Corporation) MD5=C98BCE54F31113D5E736C1097FD086DC -- C:\Windows\winsxs\amd64_microsoft-windows-nlasvc_31bf3856ad364e35_6.1.7601.22124_none_c62aa7cf3aafb33f\nlaapi.dll

< MD5 for: PNRPNSP.DLL >
[2009/07/14 10:16:12 | 000,065,024 | ---- | M] (Microsoft Corporation) MD5=5CF640EDDB1E40A5AB1BB743BCDEC610 -- C:\Windows\SysWOW64\pnrpnsp.dll
[2009/07/14 10:16:12 | 000,065,024 | ---- | M] (Microsoft Corporation) MD5=5CF640EDDB1E40A5AB1BB743BCDEC610 -- C:\Windows\winsxs\wow64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.1.7600.16385_none_d7c8b1ac70865dab\pnrpnsp.dll
[2009/07/14 10:41:53 | 000,086,016 | ---- | M] (Microsoft Corporation) MD5=613C8CE10A5FDE582BA5FA64C4D56AAA -- C:\Windows\SysNative\pnrpnsp.dll
[2009/07/14 10:41:53 | 000,086,016 | ---- | M] (Microsoft Corporation) MD5=613C8CE10A5FDE582BA5FA64C4D56AAA -- C:\Windows\winsxs\amd64_microsoft-windows-peertopeerpnrp_31bf3856ad364e35_6.1.7600.16385_none_cd74075a3c259bb0\pnrpnsp.dll

< MD5 for: PRINTISOLATIONHOST.EXE >
[2009/07/14 10:39:27 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=22F020C76E339EB2B2187BA73A7E4173 -- C:\Windows\SysNative\PrintIsolationHost.exe
[2009/07/14 10:39:27 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=22F020C76E339EB2B2187BA73A7E4173 -- C:\Windows\winsxs\amd64_microsoft-windows-p..ng-server-isolation_31bf3856ad364e35_6.1.7600.16385_none_f8a40495785334a9\PrintIsolationHost.exe

< MD5 for: REGEDIT.EXE >
[2009/07/14 10:39:29 | 000,427,008 | ---- | M] (Microsoft Corporation) MD5=2E2C937846A0B8789E5E91739284D17A -- C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedit.exe
[2009/07/14 10:39:29 | 000,427,008 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\regedit.exe
[2009/07/14 10:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\SysWOW64\regedit.exe
[2009/07/14 10:14:30 | 000,398,336 | ---- | M] (Microsoft Corporation) MD5=8A4883F5E7AC37444F23279239553878 -- C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe

< MD5 for: SERVICES.EXE >
[2009/07/14 10:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\SysNative\services.exe
[2009/07/14 10:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe

< MD5 for: SVCHOST.EXE >
[2014/05/12 07:24:30 | 000,750,392 | ---- | M] (MalwareBytes) MD5=09882E8EDD1144E6EF1AF6D1F98305EE -- C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows\svchost.exe
[2009/07/14 10:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/14 10:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009/07/14 10:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\SysNative\svchost.exe
[2009/07/14 10:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

< MD5 for: USER32.DLL >
[2010/11/20 21:08:57 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=5E0DB2D8B2750543CD2EBB9EA8E6CDD3 -- C:\Windows\SysWOW64\user32.dll
[2010/11/20 21:08:57 | 000,833,024 | ---- | M] (Microsoft Corporation) MD5=5E0DB2D8B2750543CD2EBB9EA8E6CDD3 -- C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
[2010/11/20 22:27:27 | 001,008,128 | ---- | M] (Microsoft Corporation) MD5=FE70103391A64039A921DBFFF9C7AB1B -- C:\Windows\SysNative\user32.dll
[2010/11/20 22:27:27 | 001,008,128 | ---- | M] (Microsoft Corporation) MD5=FE70103391A64039A921DBFFF9C7AB1B -- C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll

< MD5 for: USERINIT.EXE >
[2010/11/20 21:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\SysWOW64\userinit.exe
[2010/11/20 21:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2010/11/20 22:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\SysNative\userinit.exe
[2010/11/20 22:25:24 | 000,030,720 | ---- | M] (Microsoft Corporation) MD5=BAFE84E637BF7388C96EF48D4D3FDD53 -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_3a4ebf84e84f824c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2014/05/12 07:24:30 | 000,750,392 | ---- | M] (MalwareBytes) MD5=09882E8EDD1144E6EF1AF6D1F98305EE -- C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows\winlogon.exe
[2010/11/20 22:25:30 | 000,390,656 | ---- | M] (Microsoft Corporation) MD5=1151B1BAA6F350B1DB6598E0FEA7C457 -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe
[2014/03/04 20:08:14 | 000,455,680 | ---- | M] (Microsoft Corporation) MD5=6CE2AE073BD21C542FC2C707CAE944CC -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.22616_none_ce748d1d04acf24f\winlogon.exe
[2014/03/04 18:43:50 | 000,455,168 | ---- | M] (Microsoft Corporation) MD5=88AB9B72B4BF3963A0DE0820B4B0B06C -- C:\Windows\SysNative\winlogon.exe
[2014/03/04 18:43:50 | 000,455,168 | ---- | M] (Microsoft Corporation) MD5=88AB9B72B4BF3963A0DE0820B4B0B06C -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.18409_none_cdf8bf35eb848572\winlogon.exe

< MD5 for: WINRNR.DLL >
[2009/07/14 10:41:56 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=2E2072EB48238FCA8FBB7A9F5FABAC45 -- C:\Windows\SysNative\winrnr.dll
[2009/07/14 10:41:56 | 000,028,672 | ---- | M] (Microsoft Corporation) MD5=2E2072EB48238FCA8FBB7A9F5FABAC45 -- C:\Windows\winsxs\amd64_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_b543449669c73e11\winrnr.dll
[2009/07/14 10:16:19 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=5DF5D8CFD9B9573FA3B2C89D9061A240 -- C:\Windows\SysWOW64\winrnr.dll
[2009/07/14 10:16:19 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=5DF5D8CFD9B9573FA3B2C89D9061A240 -- C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.1.7600.16385_none_5924a912b169ccdb\winrnr.dll

< MD5 for: WSHELPER.DLL >
[2009/07/14 10:16:20 | 000,015,360 | ---- | M] (Microsoft Corporation) MD5=5B90BB3171504C9DAF3C5CB44B203CA7 -- C:\Windows\SysWOW64\wshelper.dll
[2009/07/14 10:16:20 | 000,015,360 | ---- | M] (Microsoft Corporation) MD5=5B90BB3171504C9DAF3C5CB44B203CA7 -- C:\Windows\winsxs\wow64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6ace9e67456cc40b\wshelper.dll
[2009/07/14 10:41:58 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=D314DA4B0B8DCD023D547FC568E34FB6 -- C:\Windows\SysNative\wshelper.dll
[2009/07/14 10:41:58 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=D314DA4B0B8DCD023D547FC568E34FB6 -- C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\wshelper.dll

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\InstallInfo\\ReinstallCommand: "C:\Program Files (x86)\Comodo\Dragon\dragon.exe" --make-default-browser [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\InstallInfo\\HideIconsCommand: "C:\Program Files (x86)\Comodo\Dragon\dragon.exe" --hide-icons [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\InstallInfo\\ShowIconsCommand: "C:\Program Files (x86)\Comodo\Dragon\dragon.exe" --show-icons [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\shell\open\command\\: "C:\Program Files (x86)\Comodo\Dragon\dragon.exe" [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2014/06/02 15:03:18 | 000,810,200 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2014/06/02 15:03:18 | 000,810,200 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\InstallInfo\\ReinstallCommand: "C:\PROGRAM FILES (X86)\COMODO\DRAGON\DRAGON.EXE" --MAKE-DEFAULT-BROWSER [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\InstallInfo\\HideIconsCommand: "C:\PROGRAM FILES (X86)\COMODO\DRAGON\DRAGON.EXE" --HIDE-ICONS [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\InstallInfo\\ShowIconsCommand: "C:\PROGRAM FILES (X86)\COMODO\DRAGON\DRAGON.EXE" --SHOW-ICONS [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Dragon\shell\open\command\\: "C:\PROGRAM FILES (X86)\COMODO\DRAGON\DRAGON.EXE" [2014/05/21 19:21:10 | 001,261,248 | ---- | M] (Comodo)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2014/05/30 17:35:44 | 000,608,768 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2014/05/30 17:35:44 | 000,608,768 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2014/05/30 17:35:44 | 000,608,768 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2014/06/02 15:03:18 | 000,810,200 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE [2014/06/02 15:03:18 | 000,810,200 | ---- | M] (Microsoft Corporation)

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemdrive%\$Recycle.Bin|@;true;true;true /fp >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< C:\Windows\assembly\tmp\U\*.* /s >
[2009/07/14 14:08:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2009/07/14 14:08:49 | 000,032,556 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/12/04 11:18:49 | 000,000,254 | ---- | C] () -- C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
[2011/12/04 11:19:15 | 000,000,276 | ---- | C] () -- C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
[2013/04/10 08:37:50 | 000,000,508 | ---- | C] () -- C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 89d96e21-0900-4f2a-9d96-c2751ce3503a.job
[2013/04/10 08:37:51 | 000,000,508 | ---- | C] () -- C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task b28be43d-0e44-486f-8b61-f2e15d77c340.job
[2013/06/30 16:57:30 | 000,000,464 | ---- | C] () -- C:\Windows\Tasks\Privacy Controls_{B6102F2F-E15A-11E2-8848-F04DA267B03D}.job
[2013/06/30 16:57:44 | 000,000,466 | ---- | C] () -- C:\Windows\Tasks\ParetoLogic Registration3.job
[2013/07/04 11:17:18 | 000,000,316 | ---- | C] () -- C:\Windows\Tasks\Start Driver Reviver for [email protected](logon).job
[2013/09/06 23:31:23 | 000,000,830 | ---- | C] () -- C:\Windows\Tasks\Adobe Flash Player Updater.job
[2014/05/10 19:13:29 | 000,000,320 | ---- | C] () -- C:\Windows\Tasks\Start Registry Reviver for [email protected](logon).job
[2014/06/25 17:16:06 | 000,000,894 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
[2014/06/25 17:16:09 | 000,000,898 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job

< %Temp%\smtmp\* \s >

< %Temp%\smtmp\1\*.* >

< %Temp%\smtmp\2\*.* >

< %Temp%\smtmp\3\*.* >

< %Temp%\smtmp\4\*.* >

< dir "%systemdrive%\*" /S /A:L /C >
Volume in drive C is OS
Volume Serial Number is B4B7-99A8
Directory of C:\
07/14/2009 02:08 PM <JUNCTION> Documents and Settings [C:\Users]
0 File(s) 0 bytes
Directory of C:\ProgramData
07/14/2009 02:08 PM <JUNCTION> Application Data [C:\ProgramData]
07/14/2009 02:08 PM <JUNCTION> Desktop [C:\Users\Public\Desktop]
07/14/2009 02:08 PM <JUNCTION> Documents [C:\Users\Public\Documents]
07/14/2009 02:08 PM <JUNCTION> Favorites [C:\Users\Public\Favorites]
07/14/2009 02:08 PM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
07/14/2009 02:08 PM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users
07/14/2009 02:08 PM <SYMLINKD> All Users [C:\ProgramData]
07/14/2009 02:08 PM <JUNCTION> Default User [C:\Users\Default]
0 File(s) 0 bytes
Directory of C:\Users\All Users
07/14/2009 02:08 PM <JUNCTION> Application Data [C:\ProgramData]
07/14/2009 02:08 PM <JUNCTION> Desktop [C:\Users\Public\Desktop]
07/14/2009 02:08 PM <JUNCTION> Documents [C:\Users\Public\Documents]
07/14/2009 02:08 PM <JUNCTION> Favorites [C:\Users\Public\Favorites]
07/14/2009 02:08 PM <JUNCTION> Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
07/14/2009 02:08 PM <JUNCTION> Templates [C:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users\Carl
03/20/2011 08:25 AM <JUNCTION> Application Data [C:\Users\Carl\AppData\Roaming]
03/20/2011 08:25 AM <JUNCTION> Cookies [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Cookies]
03/20/2011 08:25 AM <JUNCTION> Local Settings [C:\Users\Carl\AppData\Local]
03/20/2011 08:25 AM <JUNCTION> My Documents [C:\Users\Carl\Documents]
03/20/2011 08:25 AM <JUNCTION> NetHood [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
03/20/2011 08:25 AM <JUNCTION> PrintHood [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
03/20/2011 08:25 AM <JUNCTION> Recent [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Recent]
03/20/2011 08:25 AM <JUNCTION> SendTo [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\SendTo]
03/20/2011 08:25 AM <JUNCTION> Start Menu [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Start Menu]
03/20/2011 08:25 AM <JUNCTION> Templates [C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users\Carl\AppData\Local
03/20/2011 08:25 AM <JUNCTION> Application Data [C:\Users\Carl\AppData\Local]
03/20/2011 08:25 AM <JUNCTION> History [C:\Users\Carl\AppData\Local\Microsoft\Windows\History]
03/20/2011 08:25 AM <JUNCTION> Temporary Internet Files [C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes
Directory of C:\Users\Carl\AppData\LocalLow\Siber Systems\RoboForm
05/26/2014 08:12 PM <SYMLINKD> UserData [C:/Users/Carl/Documents/My RoboForm Data/Default Profile]
0 File(s) 0 bytes
Directory of C:\Users\Carl\Documents
03/20/2011 08:25 AM <JUNCTION> My Music [C:\Users\Carl\Music]
03/20/2011 08:25 AM <JUNCTION> My Pictures [C:\Users\Carl\Pictures]
03/20/2011 08:25 AM <JUNCTION> My Videos [C:\Users\Carl\Videos]
0 File(s) 0 bytes
Directory of C:\Users\Default
07/14/2009 02:08 PM <JUNCTION> Application Data [C:\Users\Default\AppData\Roaming]
07/14/2009 02:08 PM <JUNCTION> Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
07/14/2009 02:08 PM <JUNCTION> Local Settings [C:\Users\Default\AppData\Local]
07/14/2009 02:08 PM <JUNCTION> My Documents [C:\Users\Default\Documents]
07/14/2009 02:08 PM <JUNCTION> NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
07/14/2009 02:08 PM <JUNCTION> PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
07/14/2009 02:08 PM <JUNCTION> Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
07/14/2009 02:08 PM <JUNCTION> SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
07/14/2009 02:08 PM <JUNCTION> Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
07/14/2009 02:08 PM <JUNCTION> Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Users\Default\AppData\Local
07/14/2009 02:08 PM <JUNCTION> Application Data [C:\Users\Default\AppData\Local]
07/14/2009 02:08 PM <JUNCTION> History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
07/14/2009 02:08 PM <JUNCTION> Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes
Directory of C:\Users\Default\Documents
07/14/2009 02:08 PM <JUNCTION> My Music [C:\Users\Default\Music]
07/14/2009 02:08 PM <JUNCTION> My Pictures [C:\Users\Default\Pictures]
07/14/2009 02:08 PM <JUNCTION> My Videos [C:\Users\Default\Videos]
0 File(s) 0 bytes
Directory of C:\Users\Public\Documents
07/14/2009 02:08 PM <JUNCTION> My Music [C:\Users\Public\Music]
07/14/2009 02:08 PM <JUNCTION> My Pictures [C:\Users\Public\Pictures]
07/14/2009 02:08 PM <JUNCTION> My Videos [C:\Users\Public\Videos]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile
04/02/2011 07:49 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Roaming]
04/02/2011 07:49 AM <JUNCTION> Cookies [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies]
04/02/2011 07:49 AM <JUNCTION> Local Settings [C:\Windows\system32\config\systemprofile\AppData\Local]
04/02/2011 07:49 AM <JUNCTION> My Documents [C:\Windows\system32\config\systemprofile\Documents]
04/02/2011 07:49 AM <JUNCTION> NetHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
04/02/2011 07:49 AM <JUNCTION> PrintHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
04/02/2011 07:49 AM <JUNCTION> Recent [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent]
04/02/2011 07:49 AM <JUNCTION> SendTo [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo]
04/02/2011 07:49 AM <JUNCTION> Start Menu [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
04/02/2011 07:49 AM <JUNCTION> Templates [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\AppData\Local
04/02/2011 07:49 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
04/02/2011 07:49 AM <JUNCTION> History [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History]
04/02/2011 07:49 AM <JUNCTION> Temporary Internet Files [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files]
0 File(s) 0 bytes
Directory of C:\Windows\System32\config\systemprofile\Documents
04/02/2011 07:49 AM <JUNCTION> My Music [C:\Windows\system32\config\systemprofile\Music]
04/02/2011 07:49 AM <JUNCTION> My Pictures [C:\Windows\system32\config\systemprofile\Pictures]
04/02/2011 07:49 AM <JUNCTION> My Videos [C:\Windows\system32\config\systemprofile\Videos]
0 File(s) 0 bytes
Directory of C:\Windows\SysWOW64\config\systemprofile
04/02/2011 07:49 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Roaming]
04/02/2011 07:49 AM <JUNCTION> Cookies [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies]
04/02/2011 07:49 AM <JUNCTION> Local Settings [C:\Windows\system32\config\systemprofile\AppData\Local]
04/02/2011 07:49 AM <JUNCTION> My Documents [C:\Windows\system32\config\systemprofile\Documents]
04/02/2011 07:49 AM <JUNCTION> NetHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
04/02/2011 07:49 AM <JUNCTION> PrintHood [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
04/02/2011 07:49 AM <JUNCTION> Recent [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent]
04/02/2011 07:49 AM <JUNCTION> SendTo [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo]
04/02/2011 07:49 AM <JUNCTION> Start Menu [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu]
04/02/2011 07:49 AM <JUNCTION> Templates [C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Templates]
0 File(s) 0 bytes
Directory of C:\Windows\SysWOW64\config\systemprofile\AppData\Local
04/02/2011 07:49 AM <JUNCTION> Application Data [C:\Windows\system32\config\systemprofile\AppData\Local]
04/02/2011 07:49 AM <JUNCTION> History [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History]
04/02/2011 07:49 AM <JUNCTION> Temporary Internet Files [C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files]
 0 File(s) 0 bytes
Directory of C:\Windows\SysWOW64\config\systemprofile\Documents
04/02/2011 07:49 AM <JUNCTION> My Music [C:\Windows\system32\config\systemprofile\Music]
04/02/2011 07:49 AM <JUNCTION> My Pictures [C:\Windows\system32\config\systemprofile\Pictures]
04/02/2011 07:49 AM <JUNCTION> My Videos [C:\Windows\system32\config\systemprofile\Videos]
0 File(s) 0 bytes
Total Files Listed:
0 File(s) 0 bytes
83 Dir(s) 197,235,806,208 bytes free

========== Files - Unicode (All) ==========
[2013/02/02 20:39:38 | 000,000,145 | ---- | M] ()(C:\Users\Carl\Desktop\??, sk??? ?? ???? ??? ??? ? ? ????? - ?????, ?????, LPG, SUV, RV, ??, ???????, ???, ????????.url) -- C:\Users\Carl\Desktop\엔카, sk엔카에 찾는 중고차가 없으면 중고카 엔 카 중고자동차 - 중고차매매, 중고차시세, LPG, SUV, RV, 경차, 수입중고차시세, 시승기, 중고차시세표가격.url
[2013/02/02 20:39:38 | 000,000,145 | ---- | C] ()(C:\Users\Carl\Desktop\??, sk??? ?? ???? ??? ??? ? ? ????? - ?????, ?????, LPG, SUV, RV, ??, ???????, ???, ????????.url) -- C:\Users\Carl\Desktop\엔카, sk엔카에 찾는 중고차가 없으면 중고카 엔 카 중고자동차 - 중고차매매, 중고차시세, LPG, SUV, RV, 경차, 수입중고차시세, 시승기, 중고차시세표가격.url

========== Alternate Data Streams ==========

@Alternate Data Stream - 665 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:0FF263E8
@Alternate Data Stream - 167 bytes -> C:\ProgramData\Temp:F35A93AD

< End of report >


----------



## referee07 (Sep 11, 2003)

OTL Log Results Post #5:

OTL Extras logfile created on: 6/25/2014 10:30:35 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Carl\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17126)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.80 Gb Total Physical Memory | 1.25 Gb Available Physical Memory | 32.81% Memory free
7.60 Gb Paging File | 4.57 Gb Available in Paging File | 60.08% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 184.07 Gb Free Space | 40.81% Space Free | Partition Type: NTFS

Computer Name: DELLNOTEBOOK | User Name: Carl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

*64bit:* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{03C04F92-8DE2-40A1-81BF-ED7F7F88B8DC}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{03D38C73-9C80-4797-B89B-C139AC4749AE}" = lport=51001 | protocol=6 | dir=in | name=dragon smart phone server | 
"{0CA33DB4-6C7B-437B-9817-956E0117EC8B}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) | 
"{12E8D9D3-0FE7-4BF5-A1E3-161E64F21603}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe | 
"{1749A9DB-3865-4532-AD95-9B655BEB0D8E}" = lport=51001 | protocol=6 | dir=in | name=dragon smart phone server | 
"{35D4974E-738F-4E19-86E1-E856CD2787C9}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 | 
"{393439C0-F5CE-4732-8454-D50B6E635DEB}" = rport=10243 | protocol=6 | dir=out | app=system | 
"{405A39FD-3859-45A2-B032-F9274EF2329E}" = rport=137 | protocol=17 | dir=out | app=system | 
"{4925D8B8-586D-420F-ADE1-D3A7CA194958}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) | 
"{4E5B09C3-BFA9-4C05-A830-9C5DA37C0D4C}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{4F72DE3F-60B3-41E0-B308-5F5D66A5F27D}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{6021D101-827A-4ADD-A349-61D332C853E4}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{6B16B64F-45C6-4475-B68A-5F9E312B9B45}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{7457E788-D186-4885-95D2-0013714E22BB}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{749811AF-8686-4AC9-BE03-7031C3EA0AA6}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{79911206-A411-4F24-8E59-F775DD31E0A2}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{8133A4EF-CDD0-4226-BE4C-D81152DE4ED7}" = lport=138 | protocol=17 | dir=in | app=system | 
"{81CC38AF-75BB-4590-B9C8-A75E36BF8631}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{94CAD1D2-D68F-41B6-B613-0B60437FBC7E}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{9796A9B8-300F-4EA0-B94E-BAFE3E3688A6}" = lport=33333 | protocol=6 | dir=in | name=goodsync server incoming connections | 
"{9869E49E-331A-45D3-AD74-47AB43C652F8}" = rport=139 | protocol=6 | dir=out | app=system | 
"{AAF95097-30E7-48D2-9622-F3361C4659B3}" = lport=33338 | protocol=17 | dir=in | name=goodsync server lan discovery | 
"{B153135C-787A-4549-83E9-544ADCDFE066}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{B2097EE3-2420-49D9-9997-FCBBDF3D063A}" = rport=445 | protocol=6 | dir=out | app=system | 
"{D21DB6D4-ACDB-451D-922F-688A21B65F11}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{D36DDFCF-6E6E-4606-9522-B31BA195885A}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\outlook.exe | 
"{D579CEE6-F5A8-4BF7-9754-4181649B5033}" = lport=137 | protocol=17 | dir=in | app=system | 
"{DB25E984-D247-4B4C-B78A-FE30097F8F2F}" = lport=139 | protocol=6 | dir=in | app=system | 
"{E0E1D6A9-DB69-4165-8600-D1896888F27D}" = lport=445 | protocol=6 | dir=in | app=system | 
"{F2956E39-F86B-498A-A919-52485CEC34D3}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F9249840-A8C9-4C05-B3A9-77AE47788F35}" = rport=138 | protocol=17 | dir=out | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00771584-E019-4CDF-8DC1-0AEE78E3A2C6}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnmon.exe | 
"{00BEB535-DF0C-4C93-AE33-E909B6D7E761}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe | 
"{0544541E-64A8-4D47-A9E4-40C5ED95EDEE}" = dir=in | app=c:\program files\intel\wifi\bin\pandhcpdns.exe | 
"{0557A4B8-6A00-420F-9023-1D58930A2E0B}" = protocol=17 | dir=in | app=c:\program files (x86)\comodo\trustconnect\bin\trustconnectgui.exe | 
"{0706A1C3-04E0-40A1-AC3E-33594F0AD0C9}" = protocol=6 | dir=in | app=c:\program files (x86)\comodo\trustconnect\bin\trustconnectgui.exe | 
"{0A37ABFD-433E-4B8F-927F-CF67FDA82A87}" = protocol=1 | dir=out | [email protected],-28544 | 
"{0BCCB3A5-5A55-491B-A730-B8CC7A7940A7}" = protocol=6 | dir=in | app=c:\windows\system32\lxdncoms.exe | 
"{0CB0B915-4C3B-42EA-93E8-3BFD04B145F6}" = protocol=17 | dir=in | app=c:\windows\system32\lxdncoms.exe | 
"{153EF9AD-7924-4B24-87B1-49E6C47FACB6}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxm08.exe | 
"{1AFE780B-8BE3-4164-A9F7-6376599DD5B3}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdntime.exe | 
"{1CA695C1-2038-4762-8A41-AB10499CBDDA}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxs08.exe | 
"{2015C24B-87D2-476B-B6AE-85DCCBE2EC1A}" = protocol=17 | dir=in | app=c:\program files\siber systems\goodsync\gsexplorer.exe | 
"{21DC256A-3845-4A44-83C3-3D1B4746B91C}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\acronis\syncagent\syncagentsrv.exe | 
"{2542A3EE-B8D7-4CAE-8E9A-B991AF9F8323}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpzwiz01.exe | 
"{263020D9-02AE-4730-A7DC-8098C5B433AB}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdnjswx.exe | 
"{27F3FD32-B082-4B56-92DE-B106E22DA588}" = dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdnpswx.exe | 
"{2C2EB52B-6491-4688-AC86-81E0CBC87E54}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | 
"{32BB692B-7FAF-4E35-83A0-810DB21FF5DC}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe | 
"{34979DA8-4A10-4893-AED6-9A1295DF8D3A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{39ED545B-4351-40FC-8F03-08A7B4E779DB}" = protocol=17 | dir=in | app=c:\program files\siber systems\goodsync\gs-server.exe | 
"{3CCCA0C8-FDDC-4FE0-8BF7-2C2665D5D9EF}" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnlscn.exe | 
"{414FC192-0359-4447-A653-1C9472A34A93}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{41C4BEE8-2CE7-4074-AC47-7F32CC2E9985}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqkygrp.exe | 
"{4237D774-FBEB-4E5E-B737-1186036726A4}" = dir=in | app=c:\windows\system32\lxdncoms.exe | 
"{45A9C471-26A4-4EED-BD2C-0EF746D6C2B7}" = protocol=6 | dir=in | app=c:\program files\siber systems\goodsync\gsexplorer.exe | 
"{488329BC-2476-48C7-84BA-673DD9491045}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe | 
"{49F10F1E-C01E-494B-9599-49305823199B}" = protocol=17 | dir=in | app=c:\windows\syswow64\lxdncoms.exe | 
"{51E80098-E56D-4A79-A48C-ABAA5483CB8C}" = protocol=6 | dir=in | app=c:\program files\siber systems\goodsync\goodsync.exe | 
"{562F2E5F-5194-42CE-85C1-7DFA5068733F}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpiscnapp.exe | 
"{5636D5B4-7630-46DE-BA2E-5A86B1F6D672}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnlscn.exe | 
"{589C23AD-FDC1-4290-971A-068E31EC4C62}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{595588ED-4B2F-4DEF-97FE-B256321C58F5}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposid01.exe | 
"{5C118786-A880-42AE-B407-26FDB240C1F2}" = protocol=6 | dir=out | app=system | 
"{5D54BD9A-F89C-44A5-9AAE-8671807AA40F}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe | 
"{5FC5BD5F-685E-493D-B5A7-3AC479CA7B13}" = protocol=1 | dir=in | [email protected],-28543 | 
"{62D39C01-7108-438A-952C-90045FD156D9}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{62E0B7A3-A139-4E46-89C4-8C496196049C}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpfccopy.exe | 
"{6706EA2F-3980-469A-AFDD-56663640126F}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdnpswx.exe | 
"{67B687D3-39EA-410A-9D83-928BB75D8A1F}" = dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdntime.exe | 
"{6B85F7EB-D90F-4666-A939-7F970C0F6D3D}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqfxt08.exe | 
"{72A2BBEF-54AB-4ED7-8701-C72A5451A0E0}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgplgtupl.exe | 
"{79C3C407-BFD8-46F0-AA06-7DAA59F329AB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{7BE06B45-2518-4EC9-8262-2F03C257A285}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\acronis\syncagent\syncagentsrv.exe | 
"{7C4ED7DB-34FE-49FD-9A51-E047C14637D2}" = protocol=6 | dir=out | app=c:\program files (x86)\rosettastoneltdservices\rosettastoneltdservices.exe | 
"{7CC78036-5C7B-4B0E-9E79-9D16EF0A7C4B}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdntime.exe | 
"{83F131E1-F7E6-40F9-9479-41AE1AB1A124}" = protocol=6 | dir=in | app=c:\program files\microsoft office 15\root\office15\ucmapi.exe | 
"{8410DB40-F095-4E13-B939-9D3271553C7E}" = protocol=6 | dir=in | app=c:\program files\siber systems\goodsync\gs-server.exe | 
"{86922208-3072-4649-AEE2-0294300D7E88}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{86A0FCF7-7DE0-4756-A9A3-CC83A72A7C06}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpoews01.exe | 
"{8781DCE5-2565-4DFD-B1D5-657DA847E32E}" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnmon.exe | 
"{89A36CB3-6AD7-47AF-921A-9D6A8333E87F}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{8B7F3A03-E927-4AA1-8AFD-2C5AA6E790B8}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{8C9F76BF-8A6D-4CE0-95BE-2248270F58A3}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{8FE09A9D-BD75-4A98-BABC-58FA68338E9F}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe | 
"{997EDD9D-89D2-422A-948C-D545F19C6570}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{9AC80FA0-136A-4D4E-A37D-0E96B7A750F9}" = protocol=17 | dir=in | app=c:\program files\siber systems\goodsync\goodsync.exe | 
"{9B02D207-A0BE-4812-8E42-584F35BDB626}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposfx08.exe | 
"{9D8FB891-19CD-4518-AFE7-EF41E5468DE8}" = protocol=6 | dir=in | app=c:\windows\syswow64\lxdncoms.exe | 
"{A73EA7B6-DA16-464D-A381-D142DAA4C37B}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqgpc01.exe | 
"{A9AFD1F7-1382-4C84-AFDA-74E5780F4EAA}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{A9DBBBF9-22C2-4422-B110-73307A8E6881}" = dir=in | app=c:\program files (x86)\rosettastoneltdservices\rosettastonedaemon.exe | 
"{AC6DE193-468D-4CAF-B8BC-104632FDD677}" = protocol=6 | dir=in | app=c:\program files\microsoft office 15\root\office15\lync.exe | 
"{B38CA4FE-4276-4ED8-BD67-81CF9601E102}" = dir=in | app=c:\program files (x86)\rosettastoneltdservices\rosettastoneltdservices.exe | 
"{B46848C3-D7D2-441F-9028-BDB61C073F23}" = protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\ucmapi.exe | 
"{B5522A72-0260-468B-837B-4CEA9FFA127D}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe | 
"{BE874ADA-D6D1-49FE-99C1-FFA14754B60C}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe | 
"{C18891AB-3670-436E-996E-FF1A725ED784}" = protocol=6 | dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdnjswx.exe | 
"{C258087C-CC73-40BD-A5B4-C8D419CF4A6E}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe | 
"{C6FBE077-D1B5-4A2A-B532-462AA78B15F8}" = dir=in | app=c:\windows\syswow64\lxdncoms.exe | 
"{CF6A2DED-5A9A-434C-997A-9A2846FDC649}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{D02E335B-1ED2-428D-B462-F7832626E3EF}" = protocol=6 | dir=out | app=c:\program files (x86)\rosettastoneltdservices\rosettastonedaemon.exe | 
"{D2329C31-690F-430F-B0D0-C988F0558955}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\groove.exe | 
"{D25A0198-4BBB-4D82-8E7F-17904D9D3697}" = protocol=58 | dir=out | [email protected],-28546 | 
"{D2FD28F9-BAC9-4F6B-9919-2BA644F82514}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe | 
"{D658A03F-DA54-4C3C-910C-AC6B55296C5B}" = protocol=58 | dir=in | [email protected],-28545 | 
"{D73FE1AE-A8A3-41F2-B518-F98DCA70F5FE}" = protocol=17 | dir=in | app=c:\windows\system32\spool\drivers\x64\3\lxdnpswx.exe | 
"{D78DAB58-F32D-449A-BF6E-422626B728AF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{DA8973ED-D227-4D42-8D72-C73C8DEF9051}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe | 
"{E2B7CF41-4D11-434F-8B9A-A4DD279E600B}" = protocol=17 | dir=in | app=c:\program files\microsoft office 15\root\office15\lync.exe | 
"{E4D96E5A-F700-4C28-8B39-18FC8E80E18F}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{E6E13BAB-97C6-4EFB-9E52-23CE56DBF5D6}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe | 
"{E91D08DA-5E64-4A5D-964A-C56440FACE34}" = dir=in | app=c:\program files (x86)\dell\videostage\videostage.exe | 
"{ECE03BE1-728D-417E-98C5-36387A45A6ED}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{F0BBD88F-60DA-48F0-9A0E-1BBB514504DB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{F9ADEB55-634D-4FA4-8939-CA4A6D787142}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"TCP Query User{530F6D26-40F0-43AC-BD6F-3A2097785ED8}C:\program files (x86)\comodo\trustconnect\bin\trustconnectgui.exe" = protocol=6 | dir=in | app=c:\program files (x86)\comodo\trustconnect\bin\trustconnectgui.exe | 
"TCP Query User{6684B110-5053-4F07-95D8-CCE521AD3C6D}C:\program files (x86)\lexmark 2600 series\lxdnlscn.exe" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnlscn.exe | 
"TCP Query User{A6A3ACA9-8B19-4625-8D98-E7E5B01E47F9}C:\program files (x86)\lexmark 2600 series\lxdnmon.exe" = protocol=6 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnmon.exe | 
"UDP Query User{06411993-AF4B-4299-B892-20ED4D6F56E1}C:\program files (x86)\comodo\trustconnect\bin\trustconnectgui.exe" = protocol=17 | dir=in | app=c:\program files (x86)\comodo\trustconnect\bin\trustconnectgui.exe | 
"UDP Query User{5B417280-8DB3-4425-82ED-01C7AB7C5D32}C:\program files (x86)\lexmark 2600 series\lxdnlscn.exe" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnlscn.exe | 
"UDP Query User{FAE3B065-E2E6-4725-B8BB-EF10D086678E}C:\program files (x86)\lexmark 2600 series\lxdnmon.exe" = protocol=17 | dir=in | app=c:\program files (x86)\lexmark 2600 series\lxdnmon.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1A8BA6CE-822D-4888-89E2-ACBF4308F271}" = Intel(R) PROSet/Wireless WiFi Software
"{1B8ABA62-74F0-47ED-B18C-A43128E591B8}" = Windows Live ID Sign-in Assistant
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{48C0866E-57EB-444C-8371-8E4321066BC3}" = Network64
"{4A5A427F-BA39-4BF0-7777-9A47FBE60C9F}" = Visual C++ 9.0 Runtime for Dragon NaturallySpeaking 64bit (x64)
"{4AE29B5C-87B1-3C4E-8E15-17B83BA745CB}" = Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
"{5737101A-27C4-408A-8A57-D1DC78DF84B4}" = 64 Bit HP CIO Components Installer
"{5A68A656-979F-4168-8795-E2E368AA4DC2}" = iTunes
"{5EB6F3CB-46F4-451F-A028-7F6D8D35D7D0}" = Windows Live Language Selector
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{75F1B44E-307E-4615-8D7C-5052BDF1F17E}" = HP Officejet 4500 K710
"{787136D2-F0F8-4625-AA3F-72D7795AC842}" = Apple Mobile Device Support
"{7DEBE4EB-6B40-3766-BB35-5CBBC385DA37}" = Microsoft .NET Framework 4.5.1
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{87CF757E-C1F1-4D22-865C-00C6950B5258}" = Quickset64
"{89B0ECE0-A41F-4A45-98D9-D54C74338117}" = ESET NOD32 Antivirus
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}" = Dell Edoc Viewer
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{90150000-008F-0000-1000-0000000FF1CE}" = Office 15 Click-to-Run Licensing Component
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9AF0B106-56F1-461B-A270-95BC1682E282}" = Broadcom Gigabit NetLink Controller
"{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = WIDCOMM Bluetooth Software
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{B26B00DA-2E5D-4CF2-83C5-911198C0F009}" = GoodSync
"{BCC0552D-76C0-4130-BFBD-49BE49ACC594}" = COMODO Internet Security
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240DF}" = WinZip 18.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D8CC254C-C671-4664-9A38-FA368D1E2C97}" = SES Driver
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{E11448F2-0B44-4239-B04E-D88FE743E929}" = Officejet J4500 Series
"{E3047FA0-2D6B-4BD6-8CD4-599955F1CE9D}" = Microsoft Mouse and Keyboard Center
"422991454CB076E9B856C21BBF99AF2B82317EDA" = Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (03/06/2009 1.0.0008.0)
"CCleaner" = CCleaner
"Driver Reviver" = Driver Reviver
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"Lexmark 2600 Series" = Lexmark 2600 Series
"Microsoft Mouse and Keyboard Center" = Microsoft Mouse and Keyboard Center
"Microsoft Visual Studio 2010 Tools for Office Runtime (x64)" = Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
"ProInst" = Intel PROSet Wireless
"ProPlusRetail - en-us" = Microsoft Office Professional Plus 2013 - en-us
"Registry Reviver" = Registry Reviver
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TAP-Windows" = TAP-Windows 9.9.2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}" = Microsoft Visual C++ 2005 Redistributable
"{0A5825FD-0FB7-4e45-9037-858D463F2943}" = BPDSoftware
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F03217060FF}" = Java 7 Update 60
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{292F0F52-B62D-4E71-921B-89A682402201}" = Toolbox
"{2951A232-69BA-4925-BB9A-CEEB72B18B4F}" = BPDSoftware_Ini
"{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}" = ParetoLogic Privacy Controls
"{2A0F2CC5-3065-492C-8380-B03AA7106B1A}" = Dell Product Registration
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{38379381-B56A-43e1-B505-3098D82B1C30}" = 4500K710_Software_Min
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{425F0DA2-EB68-491F-AFCB-ABD72DCAA06F}" = Weather Exchange
"{440B915A-0C85-45DB-92AE-75AE14704A64}" = Fax
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A5366E3-4713-4254-9E34-BA29F6CF4511}" = Hancom Office 2010 SE+ Viewer
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.11
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"{572F2A62-70CD-4429-8758-6D4D6DC696E1}" = 4500_Help
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{6697D99E-E550-4498-B793-4A8DD8A1821F}" = ProductContext
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6EB6293C-9286-4981-8672-956E1A92F33B}_is1" = StrongVPN Client version 1.2
"{6EF062EE-96E2-4C62-B282-5704487705B4}" = Byki
"{6F340107-F9AA-47C6-B54C-C3A19F11553F}" = Hewlett-Packard ACLM.NET v1.1.0.0
"{71012634-EAD3-420D-80E3-05F845A2894F}" = 4500_K710_Help_web
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{75BC2136-B6A1-4F3B-8A69-55E39C647B1F}" = True Image 2013
"{75BC2136-B6A1-4F3B-8A69-55E39C647B1F}Visible" = True Image 2013
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{820B6609-4C97-3A2B-B644-573B06A0F0CC}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{85A733B3-26CE-4d6d-BD78-14C060DBCB0A}" = 4500K710_Web
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8EE94FD8-5F52-4463-A340-185D16328158}" = WebReg
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90150000-008C-0000-0000-0000000FF1CE}" = Office 15 Click-to-Run Extensibility Component
"{90150000-008C-0409-0000-0000000FF1CE}" = Office 15 Click-to-Run Localization Component
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{91140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A33E7B0C-B99C-4EC9-B702-8A328B161AF9}" = Roxio Burn
"{A436F67F-687E-4736-BD2B-537121A804CF}" = HP Product Detection
"{A50DE037-B5C0-4C8A-8049-B0C576B313D1}" = Google+ Auto Backup
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AA31EA7B-7917-4000-949B-38E91F848A25}" = Internet Explorer
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AB2FDE4F-6BED-4E9E-B676-3DCCEBB1FBFE}" = Dell Home Systems Service Agreement
"{AB856C83-7CA0-4EB5-8D86-792B29EB4A10}" = MyDataBase
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.07)
"{AC76BA86-7AD7-5670-0000-A00000000003}" = Korean Fonts Support For Adobe Reader X
"{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}" = Roxio Burn
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B99C051D-3603-4504-96FD-106893D55D60}" = Byki
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C7BA228D-D0E9-44E5-B0B6-7AD4B0D6EBB0}" = Business Plan Pro 2004
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D5D422B9-6976-4E98-8DDF-9632CB515D7E}" = Dragon NaturallySpeaking 12
"{D9DAD0FF-495A-472B-9F10-BAE430A26682}" = Apple Application Support
"{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DEB1B275-809D-4442-AE06-EF72991538E9}" = Byki
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FA0FF682-CC70-4C57-93CD-E276F3E7537E}" = BufferChm
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}" = Palm Desktop by ACCESS
"{FD9E03B5-AEEA-4D59-B512-6CE4AA0281D4}" = Byki
"{FDEC11CC-4BD6-4a8c-A398-3CCD8E43EACA}" = J4500
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FFF186B6-4D02-4D8D-A776-C43E062E01A9}" = Rosetta Stone Ltd Services
"Adobe Flash Player ActiveX" = Adobe Flash Player 13 ActiveX
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced SystemCare 7_is1" = Advanced SystemCare 7
"AI RoboForm" = RoboForm 7-9-7-5 (All Users)
"AudibleDownloadManager" = Audible Download Manager
"Belarc Advisor" = Belarc Advisor 8.3
"Byki Deluxe" = Byki Deluxe
"Comodo Dragon" = Comodo Dragon
"Comodo TrustConnect™_is1" = Comodo TrustConnect™ v.1.7.3
"Dell Webcam Central" = Dell Webcam Central
"FileZilla Client" = FileZilla Client 3.7.1.1
"GoToAssist" = GoToAssist Corporate
"Hancom HOffice 2010 Viewer Korean" = Hancom Office 2010 SE+ Viewer
"InstallShield_{54DE0B75-6CD9-44C4-B10A-1F25DA9899D8}" = Quicken 2004
"InstallShield_{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}" = Dell VideoStage
"IObit Surfing Protection_is1" = Surfing Protection
"IObitUninstall" = IObit Uninstaller
"Magic DVD Copier_is1" = Magic DVD Copier V6.1.0
"Magic DVD Ripper_is1" = Magic DVD Ripper V6.1.0
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.2.1012
"MediaWidget - Easy iPod Transfer_is1" = MediaWidget 6.0
"Office14.PROPLUSR" = Microsoft Office Professional Plus 2010
"Password Safe" = Password Safe
"Picasa 3" = Picasa 3
"RealPlayer 12.0" = RealPlayer
"SpywareBlaster_is1" = SpywareBlaster 5.0
"TheSage" = TheSage
"TreePadPLUS" = TreePad PLUS 7.7
"WinLiveSuite" = Windows Live Essentials
"WordWeb" = WordWeb Pro
"WYO Home Inventory" = WYO Home Inventory 4.20


----------



## referee07 (Sep 11, 2003)

OTL Log Results Post #6:

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"52f1a0d031bc4480" = ITunes Duplicate Remover
"bd4d3a0508d364f5" = Dell Driver Download Manager
"UnityWebPlayer" = Unity Web Player

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/25/2014 3:54:21 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 7042
Description =

Error - 6/25/2014 3:54:22 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 9002
Description =

Error - 6/25/2014 3:54:22 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 3029
Description =

Error - 6/25/2014 3:54:25 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 3029
Description =

Error - 6/25/2014 3:54:25 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 3028
Description =

Error - 6/25/2014 3:54:25 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 3058
Description =

Error - 6/25/2014 3:54:25 AM | Computer Name = DellNotebook | Source = Windows Search Service | ID = 7010
Description =

Error - 6/25/2014 3:59:18 AM | Computer Name = DellNotebook | Source = VSS | ID = 8194
Description =

Error - 6/25/2014 5:01:19 AM | Computer Name = DellNotebook | Source = SideBySide | ID = 16842832
Description = Activation context generation failed for "C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\dragon_support_packager.exe".Error
in manifest or policy file "" on line . A component version required by the application
conflicts with another component version already active. Conflicting components 
are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component
2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error - 6/25/2014 9:10:17 AM | Computer Name = DellNotebook | Source = ESENT | ID = 455
Description = taskhost (2584) WebCacheLocal: Error -1811 occurred while opening 
logfile C:\Users\Carl\AppData\Local\Microsoft\Windows\WebCache\V01001A7.log.

[ Dell Events ]
Error - 11/12/2011 5:05:31 AM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/2/2011 6:14:17 AM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/2/2011 6:14:17 AM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/2/2011 7:17:37 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/2/2011 7:17:37 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/3/2011 10:16:14 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/3/2011 10:16:14 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/19/2011 6:13:55 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/19/2011 6:13:55 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

Error - 12/19/2011 6:56:02 PM | Computer Name = DellNotebook | Source = DataSafe | ID = 17
Description = The process was interrupted before completion.

[ Hewlett-Packard Events ]
Error - 4/16/2011 8:23:33 PM | Computer Name = DellNotebook | Source = Hewlett-Packard | ID = 0
Description = en-US Object reference not set to an instance of an object. HPSF at
HPAssistant.Pages.Assist.Contact.bgContacts_RunWorkerCompleted(Object sender, RunWorkerCompletedEventArgs
e)

Error - 4/16/2011 8:24:04 PM | Computer Name = DellNotebook | Source = Hewlett-Packard | ID = 0
Description = en-US Object reference not set to an instance of an object. HPSF at
HPAssistant.Pages.Assist.Contact.bgContacts_RunWorkerCompleted(Object sender, RunWorkerCompletedEventArgs
e)

Error - 4/16/2011 8:38:03 PM | Computer Name = DellNotebook | Source = Hewlett-Packard | ID = 0
Description = en-US Object reference not set to an instance of an object. HPSF at
HPAssistant.Pages.Assist.Contact.bgContacts_RunWorkerCompleted(Object sender, RunWorkerCompletedEventArgs
e)

[ Media Center Events ]
Error - 5/23/2012 4:39:54 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 5:39:47 PM - Failed to retrieve SportsSchedule-2.enc (Error: HTTP 
status 404: The requested URL does not exist on the server. )

Error - 5/23/2012 7:02:06 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 8:02:06 PM - Failed to retrieve SportsSchedule-2.enc (Error: HTTP 
status 404: The requested URL does not exist on the server. )

Error - 6/3/2012 7:22:04 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 8:22:04 PM - Error connecting to the internet. 8:22:04 PM - Unable
to contact server..

Error - 6/3/2012 7:22:22 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 8:22:09 PM - Error connecting to the internet. 8:22:09 PM - Unable
to contact server..

Error - 6/3/2012 8:29:15 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 9:29:14 PM - Error connecting to the internet. 9:29:14 PM - Unable
to contact server..

Error - 6/3/2012 8:30:12 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 9:29:22 PM - Error connecting to the internet. 9:29:22 PM - Unable
to contact server..

Error - 6/3/2012 9:30:50 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 10:30:50 PM - Error connecting to the internet. 10:30:50 PM - Unable
to contact server..

Error - 6/3/2012 9:31:01 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 10:30:55 PM - Error connecting to the internet. 10:30:55 PM - Unable
to contact server..

Error - 6/3/2012 10:31:40 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 11:31:40 PM - Error connecting to the internet. 11:31:40 PM - Unable
to contact server..

Error - 6/3/2012 10:31:50 AM | Computer Name = DellNotebook | Source = MCUpdate | ID = 0
Description = 11:31:45 PM - Error connecting to the internet. 11:31:45 PM - Unable
to contact server..

[ System Events ]
Error - 6/24/2014 11:21:42 AM | Computer Name = DellNotebook | Source = DCOM | ID = 10010
Description =

Error - 6/24/2014 11:22:33 AM | Computer Name = DellNotebook | Source = Microsoft-Windows-WindowsUpdateClient | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070002: Definition Update for Windows Defender - KB915597 (Definition
1.177.628.0).

Error - 6/25/2014 3:50:48 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the lxdnCATSCustConnectService
service to connect.

Error - 6/25/2014 3:50:48 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7000
Description = The lxdnCATSCustConnectService service failed to start due to the 
following error: %%1053

Error - 6/25/2014 3:51:25 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Scanner Service service to connect.

Error - 6/25/2014 3:51:25 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Scanner Service service failed to start due to the
following error: %%1053

Error - 6/25/2014 3:52:38 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Updating Service service to connect.

Error - 6/25/2014 3:52:38 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Updating Service service failed to start due to the
following error: %%1053

Error - 6/25/2014 3:54:25 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7024
Description = The Windows Search service terminated with service-specific error 
%%-1073473535.

Error - 6/25/2014 3:54:25 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 6/25/2014 9:03:41 AM | Computer Name = DellNotebook | Source = DCOM | ID = 10010
Description =

Error - 6/25/2014 9:05:53 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7043
Description = The Acronis Nonstop Backup Service service did not shut down properly
after receiving a preshutdown control.

Error - 6/25/2014 9:08:51 AM | Computer Name = DellNotebook | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 6/25/2014 9:09:58 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the lxdnCATSCustConnectService
service to connect.

Error - 6/25/2014 9:09:58 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7000
Description = The lxdnCATSCustConnectService service failed to start due to the 
following error: %%1053

Error - 6/25/2014 9:10:34 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Scanner Service service to connect.

Error - 6/25/2014 9:10:34 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Scanner Service service failed to start due to the
following error: %%1053

Error - 6/25/2014 9:11:52 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D
2 Updating Service service to connect.

Error - 6/25/2014 9:11:52 AM | Computer Name = DellNotebook | Source = Service Control Manager | ID = 7000
Description = The Spybot-S&D 2 Updating Service service failed to start due to the
following error: %%1053

< End of report >


----------



## eddie5659 (Mar 19, 2001)

Thanks for the logs 

Okay, firstly, can you uninstall these via Prgrams and Features in the Control Panel:

*
Advanced SystemCare 7
Surfing Protection
IObit Uninstaller
*

====================

Then, we're going to run OTL again, but to fix some of the issues 
Run OTL 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following 

```
:Commands
[CREATERESTOREPOINT] 
:OTL
PRC - [2014/05/06 18:23:52 | 000,781,600 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\Monitor.exe
PRC - [2014/04/21 18:05:56 | 002,295,584 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe
PRC - [2014/01/14 14:50:06 | 000,881,952 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
MOD - [2013/01/15 18:48:26 | 000,348,992 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\madexcept_.bpl
MOD - [2013/01/15 18:48:26 | 000,051,008 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\maddisAsm_.bpl
MOD - [2013/01/15 18:48:24 | 000,183,616 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\madbasic_.bpl
MOD - [2013/01/15 18:47:56 | 000,893,248 | ---- | M] () -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\webres.dll
SRV - [2014/01/14 14:50:06 | 000,881,952 | ---- | M] (IObit) [Auto | Running] -- C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe -- (AdvancedSystemCareService7)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
O2:64bit: - BHO: (ExplorerWnd Helper) - {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
O2 - BHO: (Ads Removal) - {9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F} - C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll (Adblock)
O2 - BHO: (Advanced SystemCare Browser Protection) - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-1817415294-4033379586-1234686743-1000..\Run: [Advanced SystemCare 7] C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe (IObit)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O9:64bit: - Extra Button: @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - Reg Error: Value error. File not found
O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: PrivDog - {2F5C139F-79BD-4C84-A95A-E7140525BC55} - Reg Error: Key error. File not found
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support.microsoft.com/ActiveX/MSDcode.cab (Reg Error: Value error.)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofil...SystemLite.CAB (Reg Error: Value error.)
O18:64bit: - Protocol\Handler\belarc - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\osf - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\gopher - No CLSID value found
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2014/06/21 12:30:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
[2014/06/21 12:30:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 7
[2 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2014/06/25 21:26:15 | 000,002,171 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare 7.lnk
[2014/06/21 12:30:59 | 000,001,194 | ---- | M] () -- C:\Users\Public\Desktop\IObit Uninstaller.lnk
[2014/03/06 20:45:16 | 000,000,000 | ---D | M] -- C:\Users\Carl\AppData\Roaming\IObit
[2013/04/24 08:29:25 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\IObit
[2013/04/24 08:29:25 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\IObit
[99 C:\Windows\Installer\*.tmp files -> C:\Windows\Installer\*.tmp -> ]
[2014/06/21 12:31:08 | 000,003,092 | ---- | M] () -- C:\Windows\SysNative\tasks\ASC7_PerformanceMonitor
[2014/06/21 12:30:43 | 000,002,852 | ---- | M] () -- C:\Windows\SysNative\tasks\ASC7_SkipUac_Carl
[2014/06/21 12:31:00 | 000,002,884 | ---- | M] () -- C:\Windows\SysNative\tasks\Uninstaller_SkipUac_Administrator
@Alternate Data Stream - 665 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:0FF263E8
@Alternate Data Stream - 167 bytes -> C:\ProgramData\Temp:F35A93AD
:Files
ipconfig /flushdns /c
:Commands
[emptytemp]
[purity]
```
 *NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system*
Then click the *Run Fix* button at the top 
Click OK.
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply. The log is saved in the same location as OTL.

==================

Then, see if you can start Malwarebytes' Anti-Malware and run a scan as follows:


Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.*

=============

And then this program as well:

Go here, to download and save *AdwCleaner.exe* to your desktop.



Just click on the *Download Now @BleepingComputer*

Note: It looks like a gray bug with 6 black legs.

Close all open windows first, then double-click *AdwCleaner.exe* to load its main window.

Click the *Scan* button, then click "OK".

Allow the scan process to finish.

If it appears to freeze, be patient for a few minutes.

When it's finished, click on the *Report* button.

Return here to your thread, then copy-and-paste the ENTIRE log here

-------------

So, there will be 3 logs to post; one for OTL, one for MBAM, and one for AdwCleaner 

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for the reply. Below are the logs that you requested. I still was not able to open Malwarebytes after running OTL again using the above code.

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
No active process named ASCService.ex was found!
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@microsoft.com/GENUINE\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ not found.
File C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9D974C8C-6D92-44FB-BEAF-B45A1C0CF17F}\ deleted successfully.
C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\ not found.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll moved successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Advanced SystemCare 7 not found.
File C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe not found.
Registry value HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{A95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A95fe080-8f5d-11d2-a20b-00aa003c157a}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2F5C139F-79BD-4C84-A95A-E7140525BC55}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2F5C139F-79BD-4C84-A95A-E7140525BC55}\ not found.
Starting removal of ActiveX control {0742B9EF-8C83-41CA-BFBA-830A59E23533}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0742B9EF-8C83-41CA-BFBA-830A59E23533}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0742B9EF-8C83-41CA-BFBA-830A59E23533}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0742B9EF-8C83-41CA-BFBA-830A59E23533}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0742B9EF-8C83-41CA-BFBA-830A59E23533}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0742B9EF-8C83-41CA-BFBA-830A59E23533}\ not found.
Starting removal of ActiveX control {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\belarc\ deleted successfully.
File Protocol\Handler\belarc - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\livecall\ deleted successfully.
File Protocol\Handler\livecall - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
File Protocol\Handler\ms-help - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msnim\ deleted successfully.
File Protocol\Handler\msnim - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\osf\ deleted successfully.
File Protocol\Handler\osf - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.
File Protocol\Handler\skype4com - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype-ie-addon-data\ deleted successfully.
File Protocol\Handler\skype-ie-addon-data - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlmailhtml\ deleted successfully.
File Protocol\Handler\wlmailhtml - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\wlpg\ deleted successfully.
File Protocol\Handler\wlpg - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\gopher\ deleted successfully.
File Protocol\Handler\gopher - No CLSID value found not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon\ deleted successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller\ not found.
Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 7\ not found.
C:\ProgramData\SPL1739.tmp deleted successfully.
C:\ProgramData\SPLDE11.tmp deleted successfully.
C:\Windows\SysNative\SETA1D8.tmp deleted successfully.
C:\Windows\msdownld.tmp folder deleted successfully.
File C:\Users\Public\Desktop\Advanced SystemCare 7.lnk not found.
File C:\Users\Public\Desktop\IObit Uninstaller.lnk not found.
C:\Users\Carl\AppData\Roaming\IObit\Smart Defrag 3 folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller\Log folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\IObit Malware Fighter folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Temp folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\ProgramDeactivator folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Log folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Internet Booster folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Homepage Protection folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Boottime folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7 folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6\Temp folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6\Log folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6\Internet Booster folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6\Boottime folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6\Backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6 folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Toolbox folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\SmartRAM folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\SecurityHoles folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Registrycleaner\backup\Registry folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Registrycleaner\backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Registrycleaner folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\PrivacySweeper folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Log folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\EmptyFolder folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Driver Manager\DriverBackup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Driver Manager folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Disk Cleaner folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Boottime folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5\Backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5 folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\Toolbox folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\Registrycleaner\backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\Registrycleaner folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\PrivacySweeper folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\PMonitor folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\Log folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4\Backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4 folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit folder moved successfully.
C:\Users\Default\AppData\Roaming\IObit\Advanced SystemCare V6 folder moved successfully.
C:\Users\Default\AppData\Roaming\IObit\Advanced SystemCare V5\Boottime folder moved successfully.
C:\Users\Default\AppData\Roaming\IObit\Advanced SystemCare V5 folder moved successfully.
C:\Users\Default\AppData\Roaming\IObit folder moved successfully.
Folder C:\Users\Default User\AppData\Roaming\IObit\ not found.
C:\Windows\Installer\MSI1048.tmp deleted successfully.
C:\Windows\Installer\MSI1316.tmp deleted successfully.
C:\Windows\Installer\MSI14FB.tmp deleted successfully.
C:\Windows\Installer\MSI1811.tmp deleted successfully.
C:\Windows\Installer\MSI1BF8.tmp deleted successfully.
C:\Windows\Installer\MSI2286.tmp deleted successfully.
C:\Windows\Installer\MSI27AD.tmp deleted successfully.
C:\Windows\Installer\MSI29D3.tmp deleted successfully.
C:\Windows\Installer\MSI2ACD.tmp deleted successfully.
C:\Windows\Installer\MSI2C6D.tmp deleted successfully.
C:\Windows\Installer\MSI3075.tmp deleted successfully.
C:\Windows\Installer\MSI3207.tmp deleted successfully.
C:\Windows\Installer\MSI33DB.tmp deleted successfully.
C:\Windows\Installer\MSI3597.tmp deleted successfully.
C:\Windows\Installer\MSI39E9.tmp deleted successfully.
C:\Windows\Installer\MSI3F19.tmp deleted successfully.
C:\Windows\Installer\MSI3F41.tmp deleted successfully.
C:\Windows\Installer\MSI3FDB.tmp deleted successfully.
C:\Windows\Installer\MSI405A.tmp deleted successfully.
C:\Windows\Installer\MSI4275.tmp deleted successfully.
C:\Windows\Installer\MSI4355.tmp deleted successfully.
C:\Windows\Installer\MSI4367.tmp deleted successfully.
C:\Windows\Installer\MSI4C81.tmp deleted successfully.
C:\Windows\Installer\MSI4CAD.tmp deleted successfully.
C:\Windows\Installer\MSI50D8.tmp deleted successfully.
C:\Windows\Installer\MSI5208.tmp deleted successfully.
C:\Windows\Installer\MSI533.tmp deleted successfully.
C:\Windows\Installer\MSI54A7.tmp deleted successfully.
C:\Windows\Installer\MSI582E.tmp deleted successfully.
C:\Windows\Installer\MSI5968.tmp deleted successfully.
C:\Windows\Installer\MSI5A21.tmp deleted successfully.
C:\Windows\Installer\MSI5C26.tmp deleted successfully.
C:\Windows\Installer\MSI5D05.tmp deleted successfully.
C:\Windows\Installer\MSI5DE9.tmp deleted successfully.
C:\Windows\Installer\MSI5E5E.tmp deleted successfully.
C:\Windows\Installer\MSI5FF4.tmp deleted successfully.
C:\Windows\Installer\MSI60AB.tmp deleted successfully.
C:\Windows\Installer\MSI63B8.tmp deleted successfully.
C:\Windows\Installer\MSI64BE.tmp deleted successfully.
C:\Windows\Installer\MSI6664.tmp deleted successfully.
C:\Windows\Installer\MSI6843.tmp deleted successfully.
C:\Windows\Installer\MSI6855.tmp deleted successfully.
C:\Windows\Installer\MSI6A3F.tmp deleted successfully.
C:\Windows\Installer\MSI6A79.tmp deleted successfully.
C:\Windows\Installer\MSI6BA6.tmp deleted successfully.
C:\Windows\Installer\MSI6E46.tmp deleted successfully.
C:\Windows\Installer\MSI6E5E.tmp deleted successfully.
C:\Windows\Installer\MSI6F5B.tmp deleted successfully.
C:\Windows\Installer\MSI7337.tmp deleted successfully.
C:\Windows\Installer\MSI77C2.tmp deleted successfully.
C:\Windows\Installer\MSI78A7.tmp deleted successfully.
C:\Windows\Installer\MSI7B7B.tmp deleted successfully.
C:\Windows\Installer\MSI7B99.tmp deleted successfully.
C:\Windows\Installer\MSI858A.tmp deleted successfully.
C:\Windows\Installer\MSI8B01.tmp deleted successfully.
C:\Windows\Installer\MSI8CE9.tmp deleted successfully.
C:\Windows\Installer\MSI8FDF.tmp deleted successfully.
C:\Windows\Installer\MSI9064.tmp deleted successfully.
C:\Windows\Installer\MSI91C0.tmp deleted successfully.
C:\Windows\Installer\MSI9412.tmp deleted successfully.
C:\Windows\Installer\MSI9619.tmp deleted successfully.
C:\Windows\Installer\MSI98DF.tmp deleted successfully.
C:\Windows\Installer\MSI9AB4.tmp deleted successfully.
C:\Windows\Installer\MSI9CC.tmp deleted successfully.
C:\Windows\Installer\MSIA0A7.tmp deleted successfully.
C:\Windows\Installer\MSIA298.tmp deleted successfully.
C:\Windows\Installer\MSIAD48.tmp deleted successfully.
C:\Windows\Installer\MSIB03F.tmp deleted successfully.
C:\Windows\Installer\MSIB1E7.tmp deleted successfully.
C:\Windows\Installer\MSIB493.tmp deleted successfully.
C:\Windows\Installer\MSIB5CF.tmp deleted successfully.
C:\Windows\Installer\MSIB63.tmp deleted successfully.
C:\Windows\Installer\MSIBCF1.tmp deleted successfully.
C:\Windows\Installer\MSIBDDC.tmp deleted successfully.
C:\Windows\Installer\MSIBEBE.tmp deleted successfully.
C:\Windows\Installer\MSIBFEF.tmp deleted successfully.
C:\Windows\Installer\MSIC22B.tmp deleted successfully.
C:\Windows\Installer\MSIC3FD.tmp deleted successfully.
C:\Windows\Installer\MSIC58E.tmp deleted successfully.
C:\Windows\Installer\MSIC7B6.tmp deleted successfully.
C:\Windows\Installer\MSIC97B.tmp deleted successfully.
C:\Windows\Installer\MSICD66.tmp deleted successfully.
C:\Windows\Installer\MSID0A8.tmp deleted successfully.
C:\Windows\Installer\MSIDB83.tmp deleted successfully.
C:\Windows\Installer\MSIDBF8.tmp deleted successfully.
C:\Windows\Installer\MSIDD19.tmp deleted successfully.
C:\Windows\Installer\MSIE0CC.tmp deleted successfully.
C:\Windows\Installer\MSIE140.tmp deleted successfully.
C:\Windows\Installer\MSIE243.tmp deleted successfully.
C:\Windows\Installer\MSIE372.tmp deleted successfully.
C:\Windows\Installer\MSIE42E.tmp deleted successfully.
C:\Windows\Installer\MSIE522.tmp deleted successfully.
C:\Windows\Installer\MSIE558.tmp deleted successfully.
C:\Windows\Installer\MSIE61B.tmp deleted successfully.
C:\Windows\Installer\MSIEE49.tmp deleted successfully.
C:\Windows\Installer\MSIF28E.tmp deleted successfully.
C:\Windows\Installer\MSIF651.tmp deleted successfully.
C:\Windows\Installer\MSIFE5D.tmp deleted successfully.
C:\Windows\Installer\MSIFF19.tmp deleted successfully.
File C:\Windows\SysNative\tasks\ASC7_PerformanceMonitor not found.
File C:\Windows\SysNative\tasks\ASC7_SkipUac_Carl not found.
File C:\Windows\SysNative\tasks\Uninstaller_SkipUac_Administrator not found.
Unable to delete ADS C:\ProgramData\Temp:5C321E34 @Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:0FF263E8 @Alternate Data Stream - 167 bytes -> C:\ProgramData\Temp:F35A93AD :Files ipconfig /flushdns /c :Commands [emptytemp] [purity] .

OTL by OldTimer - Version 3.2.69.0 log created on 06272014_210615

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

# AdwCleaner v3.213 - Report created 27/06/2014 at 21:24:40
# Updated 23/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Carl - DELLNOTEBOOK
# Running from : C:\Users\Carl\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Windows\System32\Tasks\paretologic registration3
File Found : C:\Windows\Tasks\paretologic registration3.job
Folder Found : C:\Program Files (x86)\Common Files\ParetoLogic
Folder Found : C:\Program Files (x86)\ParetoLogic
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic
Folder Found : C:\ProgramData\ParetoLogic
Folder Found : C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkcefkcdkepgkpbgncjchhbjgoanleod
Folder Found : C:\Users\Carl\AppData\Roaming\ParetoLogic

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\ParetoLogic
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\ParetoLogic
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\robotaskbaricon_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\robotaskbaricon_RASMANCS
Key Found : HKLM\Software\ParetoLogic

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [2100 octets] - [27/06/2014 21:24:40]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2160 octets] ##########


----------



## referee07 (Sep 11, 2003)

eddie5659, I do have a question. You asked me again to remove the Obit programs. Are they a problem? Thanks.


----------



## eddie5659 (Mar 19, 2001)

For the IObit, many security removal experts remove these programs. They're well known to cause slowness, incompatable issues, and other things.

This may also be one of the reasons why MBAM won't run, as it may be conflicting.

Using other programs like MBAM and decent antivirus program/firewall, which you already have: Comodo Firewall and ESET NOD32 Antivirus 7.0 are far better in my opinion.

---

As for AdwCleaner, can you run this for me:

Re-run AdwCleaner with the *Scan* option. After its finished scanning, click the *Clean* button.

Allow the cleaning process to finish.

If it appears to freeze, be patient for a few minutes.

When it's finished, click on the *Report* button.

Return here to your thread, then copy-and-paste the ENTIRE log here

Thanks

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for the reply. Please see below for the report from running the "Clean" option for AdwCleaner. BTW, I tried opening Malwarebytes and no-go. (I click on the icon for the program, I click "OK" in the permission's box, the little blue circle spins for a few seconds and than stops: the program doesn't open.) Do you think that I might have a rootkit or other malware that might be stopping the program from opening? I am concerned that a malware program might be monitoring my computer. Thanks again for the help.
# AdwCleaner v3.213 - Report created 28/06/2014 at 08:50:35
# Updated 23/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Carl - DELLNOTEBOOK
# Running from : C:\Users\Carl\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\ParetoLogic
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic
Folder Deleted : C:\Program Files (x86)\ParetoLogic
Folder Deleted : C:\Program Files (x86)\Common Files\ParetoLogic
Folder Deleted : C:\Users\Carl\AppData\Roaming\ParetoLogic
Folder Deleted : C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkcefkcdkepgkpbgncjchhbjgoanleod
File Deleted : C:\Windows\Tasks\paretologic registration3.job
File Deleted : C:\Windows\System32\Tasks\paretologic registration3

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askchecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\robotaskbaricon_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\robotaskbaricon_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\ParetoLogic

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [2248 octets] - [27/06/2014 21:24:40]
AdwCleaner[R1].txt - [2308 octets] - [27/06/2014 21:30:37]
AdwCleaner[R2].txt - [2368 octets] - [28/06/2014 08:49:57]
AdwCleaner[S0].txt - [2237 octets] - [28/06/2014 08:50:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2297 octets] ##########


----------



## eddie5659 (Mar 19, 2001)

We can definatly look for rootkit activity, of which I'll post some scans below. Also, have you uninstalled the Iobit programs yet? If you're not wanting to, as they're free anyway, uninstall for now (some has already been removed in the previous scans etc) and when you're clean, if you still want them installed, then its up to you 

Its just at the moment you have an antivirus, firewall and antimalware (once we get mbam up and running). Having extra tools doesn't always give more protection, but may cause issues. Optimizers, boosters, cleaners, etc. are basically useless and a waste of money and can do more harm than good.

Reading these links might also put you off such progs:

http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

http://www.edbott.com/weblog/?p=643
----------------------------------

So, lets run the following. First, Combofix:

*Delete any copies of Combofix that you have.*

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! As you download it rename it to username123.exe and save it to your Desktop *


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

================================

And then RogueKiller:

Download *RogueKiller* to your desktop


Quit all running programs 
For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe 
Wait until the Pre-scan has finished.
Click on Scan
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 
Click on Report and copy/paste the contents here.

==============================

And finally these two rootkit scanners:

Can you run the following tools, and copy/paste the logs that they produce here. If its over a few posts, that's fine 

Please download the latest version of TDSSKiller from *here* and save it to your *Desktop*.

Doubleclick on *TDSSKiller.exe* to run the application, then click on *Change parameters.*








Put a checkmark beside *loaded modules*.








A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on *Change parameters* in TDSSKiller.
Check all boxes then click OK.








Click the *Start Scan* button.








The scan should take no longer than 2 minutes.
If a *suspicious object* is detected, the default action will be *Skip*, click on *Continue*.








 If *malicious objects* are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure *Cure* (default) is selected, then click *Continue* > *Reboot now to finish the cleaning process.*









*Note*: If *Cure* is not available, please choose *Skip* instead, do not choose *Delete* unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "*TDSSKiller.[Version]_[Date]_[Time]_log.txt*". Please copy and paste the contents of that file here.

===========================

Please download *aswMBR* ( 4.5MB ) to your desktop.

Double click the *aswMBR.exe* icon, and click *Run*.
When asked if you'd like to "download the latest Avast! virus definitions", click *Yes*.
Click the *Scan* button to start the scan.
On completion of the scan, click the *save log* button, save it to your *desktop*, then copy and paste it in your next reply.

----------------------------

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for the reply and the suggestions. I wasn't able to try them tonight, but I will tomorrow night and send you the logs that you requested. Thanks again.


----------



## eddie5659 (Mar 19, 2001)

That's okay, I'll look at them later, as today I had root canal surgery, so not in the best of moods to look at logs today


----------



## referee07 (Sep 11, 2003)

eddie5659, first of all, I hope that you are well on the road to recovery following your oral surgery. I started ComboFix but it was taking a long time to complete (It got to Stage 48.) and so I terminated it and will run it again tomorrow evening. I uninstalled the IObit programs again. (I like Advance System Care and will reinstall it after Malwarebytes is up-and-running again but will not check anything to do with the registry.) I also ran Adw Cleaner after I uninstalled the IObit programs and now I find that the Google Toolbar is no longer there, even when I right-click the IE toolbar area. Anyway, thanks again for you help and I will try to run ComboFix and the other programs tomorrow evening. (PS: The log from my running Adw Cleaner this evening is shown below:

AdwCleaner v3.214 - Report created 01/07/2014 at 21:58:16
# Updated 29/06/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Carl - DELLNOTEBOOK
# Running from : C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GV559IC2\adwcleaner_3.214.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\ParetoLogic
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic
Folder Deleted : C:\Program Files (x86)\ParetoLogic
Folder Deleted : C:\Program Files (x86)\Common Files\ParetoLogic
Folder Deleted : C:\Users\Carl\AppData\Roaming\ParetoLogic
Folder Deleted : C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkcefkcdkepgkpbgncjchhbjgoanleod
File Deleted : C:\Windows\Tasks\paretologic registration3.job
File Deleted : C:\Windows\System32\Tasks\paretologic registration3

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKLM\Software\ParetoLogic

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [2248 octets] - [27/06/2014 21:24:40]
AdwCleaner[R1].txt - [2308 octets] - [27/06/2014 21:30:37]
AdwCleaner[R2].txt - [2368 octets] - [28/06/2014 08:49:57]
AdwCleaner[R3].txt - [3240 octets] - [01/07/2014 21:57:38]
AdwCleaner[S0].txt - [2377 octets] - [28/06/2014 08:50:35]
AdwCleaner[S1].txt - [3150 octets] - [01/07/2014 21:58:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3210 octets] ##########


----------



## referee07 (Sep 11, 2003)

eddie5659, I forgot to mention that I had "Registry Reviver" installed on my computer and deleted this evening it after reading the two articles that you included in your post.


----------



## referee07 (Sep 11, 2003)

eddie5659, first of all, I hope that you are 100% better after your oral surgery. Secondly, please see below for the logs that you requested. (When I ran the ComboFix program, the icon for the Password Safe program would open in the System Tray.) And, once again, thanks for the help with this.

ComboFix 14-06-30.01 - Carl 07/02/2014 19:12:02.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.1796 [GMT 9:00]
Running from: c:\users\Carl\Desktop\username123.exe
AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Java\jre7\bin\jp2ssv.dll
c:\users\Carl\AppData\Local\assembly\tmp
C:\WindowsALGER.tt2
C:\WindowsBAUHS93.tt2
C:\WindowsHARLOWSI.tt2
C:\WindowsLEELAWAD.tt2
C:\WindowsLEELAWDB.tt2
C:\WindowsMSJH.tt2
C:\WindowsMSJHBD.tt2
C:\WindowsMSUIGHUR.tt2
C:\WindowsMSYH.tt2
C:\WindowsMSYHBD.tt2
C:\WindowsVIVALDII.tt2
.
.
((((((((((((((((((((((((( Files Created from 2014-06-02 to 2014-07-02 )))))))))))))))))))))))))))))))
.
.
2014-07-02 11:04 . 2014-07-02 11:04	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-07-02 11:03 . 2014-07-02 11:03	75888	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D7CD9A70-E468-4B81-905A-E02F745BA93D}\offreg.dll
2014-07-01 15:02 . 2014-06-05 10:54	10779000	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D7CD9A70-E468-4B81-905A-E02F745BA93D}\mpengine.dll
2014-06-29 05:08 . 2014-06-29 05:09	--------	d-----w-	c:\users\Carl\AppData\Roaming\IObit
2014-06-27 12:24 . 2014-07-01 12:58	--------	d-----w-	C:\AdwCleaner
2014-06-27 12:06 . 2014-06-27 12:06	--------	d-----w-	C:\_OTL
2014-06-25 13:16 . 2014-06-25 13:16	--------	d-----w-	c:\program files (x86)\Common Files\Java
2014-06-25 13:16 . 2014-06-25 13:15	98216	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-06-21 01:16 . 2014-06-21 01:16	--------	d-----w-	c:\users\Carl\AppData\Local\Adobe
2014-06-15 02:01 . 2014-06-15 02:01	--------	d-----w-	C:\FRST
2014-06-13 23:11 . 2014-04-25 02:34	801280	----a-w-	c:\windows\system32\usp10.dll
2014-06-13 23:11 . 2014-04-25 02:06	626688	----a-w-	c:\windows\SysWow64\usp10.dll
2014-06-13 23:11 . 2014-03-26 14:44	2002432	----a-w-	c:\windows\system32\msxml6.dll
2014-06-13 23:11 . 2014-03-26 14:44	1882112	----a-w-	c:\windows\system32\msxml3.dll
2014-06-13 23:11 . 2014-03-26 14:41	2048	----a-w-	c:\windows\system32\msxml6r.dll
2014-06-13 23:11 . 2014-03-26 14:41	2048	----a-w-	c:\windows\system32\msxml3r.dll
2014-06-13 23:11 . 2014-03-26 14:27	1389056	----a-w-	c:\windows\SysWow64\msxml6.dll
2014-06-13 23:11 . 2014-03-26 14:27	1237504	----a-w-	c:\windows\SysWow64\msxml3.dll
2014-06-13 23:11 . 2014-03-26 14:25	2048	----a-w-	c:\windows\SysWow64\msxml6r.dll
2014-06-13 23:11 . 2014-03-26 14:25	2048	----a-w-	c:\windows\SysWow64\msxml3r.dll
2014-06-12 11:14 . 2014-05-08 09:32	3178496	----a-w-	c:\windows\system32\rdpcorets.dll
2014-06-12 11:14 . 2014-05-08 09:32	16384	----a-w-	c:\windows\system32\RdpGroupPolicyExtension.dll
2014-06-12 11:10 . 2014-06-08 09:13	506368	----a-w-	c:\windows\system32\aepdu.dll
2014-06-12 11:10 . 2014-06-08 09:08	424448	----a-w-	c:\windows\system32\aeinv.dll
2014-06-11 10:51 . 2014-04-05 02:47	1903552	----a-w-	c:\windows\system32\drivers\tcpip.sys
2014-06-11 10:51 . 2014-04-05 02:47	288192	----a-w-	c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-07 03:02 . 2014-06-15 08:10	--------	d-----w-	c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-06-07 02:54 . 2014-06-29 07:25	91352	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2014-06-07 02:54 . 2014-06-07 02:54	--------	d-----w-	c:\program files (x86)\Malwarebytes Anti-Malware
2014-06-07 02:54 . 2014-05-11 22:26	63704	----a-w-	c:\windows\system32\drivers\mwac.sys
2014-06-07 02:54 . 2014-05-11 22:25	25816	----a-w-	c:\windows\system32\drivers\mbam.sys
2014-06-03 13:02 . 2014-06-03 13:04	--------	d-----w-	c:\program files (x86)\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-19 08:27 . 2014-05-24 02:42	588496	----a-w-	c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-06-14 13:56 . 2014-05-04 00:31	128728	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-06-11 13:52 . 2011-03-19 11:28	95414520	----a-w-	c:\windows\system32\MRT.exe
2014-05-29 11:03 . 2014-04-27 04:36	48392	----a-w-	c:\windows\SysWow64\certsentry.dll
2014-05-29 11:03 . 2014-02-01 14:03	57096	----a-w-	c:\windows\system32\certsentry.dll
2014-05-16 02:07 . 2014-05-16 02:07	829264	----a-w-	c:\windows\system32\msvcr100.dll
2014-05-16 02:07 . 2014-05-16 02:07	608080	----a-w-	c:\windows\system32\msvcp100.dll
2014-05-16 00:39 . 2014-05-16 00:39	773968	----a-w-	c:\windows\SysWow64\msvcr100.dll
2014-05-16 00:39 . 2014-05-16 00:39	421200	----a-w-	c:\windows\SysWow64\msvcp100.dll
2014-05-14 13:48 . 2013-05-11 13:29	692400	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-14 13:48 . 2013-05-11 13:29	70832	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-16 21:12 . 2013-01-16 10:51	105552	----a-w-	c:\windows\system32\drivers\inspect.sys
2014-04-16 21:12 . 2013-01-16 10:51	48360	----a-w-	c:\windows\system32\drivers\cmdhlp.sys
2014-04-16 21:12 . 2013-01-16 10:51	738472	----a-w-	c:\windows\system32\drivers\cmdguard.sys
2014-04-16 21:12 . 2013-01-16 10:51	23168	----a-w-	c:\windows\system32\drivers\cmderd.sys
2014-04-14 17:34 . 2014-04-14 17:34	1070232	----a-w-	c:\windows\SysWow64\MSCOMCTL.OCX
2014-04-12 02:22 . 2014-05-19 11:24	155072	----a-w-	c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:22 . 2014-05-19 11:24	95680	----a-w-	c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:19 . 2014-05-19 11:24	136192	----a-w-	c:\windows\system32\sspicli.dll
2014-04-12 02:19 . 2014-05-19 11:24	29184	----a-w-	c:\windows\system32\sspisrv.dll
2014-04-12 02:19 . 2014-05-19 11:24	28160	----a-w-	c:\windows\system32\secur32.dll
2014-04-12 02:19 . 2014-05-19 11:24	1460736	----a-w-	c:\windows\system32\lsasrv.dll
2014-04-12 02:19 . 2014-05-19 11:24	31232	----a-w-	c:\windows\system32\lsass.exe
2014-04-12 02:12 . 2014-05-19 11:24	22016	----a-w-	c:\windows\SysWow64\secur32.dll
2014-04-12 02:10 . 2014-05-19 11:24	96768	----a-w-	c:\windows\SysWow64\sspicli.dll
2009-07-06 01:43 . 2011-03-23 02:40	943104	----a-w-	c:\program files\amis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-06-19 11:10	1730264	----a-w-	c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-06-19 11:10	1730264	----a-w-	c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-06-19 11:10	1730264	----a-w-	c:\program files\Microsoft Office 15\root\office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-06-12 6564120]
"StrongVPN Client"="c:\program files (x86)\StrongVPN\StrongDial.exe" [2014-04-29 1666544]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2011-10-12 2068856]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-06 39408]
"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2014-05-25 109784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-04-30 421888]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2013-03-27 6365920]
"AcronisTibMounterMonitor"="c:\program files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2013-01-10 1103424]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2011-10-12 2068856]
"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe" [2010-10-27 328992]
"Wondershare Helper Compact.exe"="c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2013-07-25 1985824]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-05-28 273544]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-05-26 152392]
"HOfficeViewerUpdate"="c:\program files (x86)\HNC\HOfficeViewer80\HncUtils\HncViewerChecker.exe" [2012-06-18 1920360]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-20 487562]
"BSDAppUpdater"="c:\program files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [2010-11-23 1660232]
"Aimersoft Helper Compact.exe"="c:\program files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe" [2012-02-20 1666560]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896]
.
c:\users\Carl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Password Safe.lnk - c:\program files (x86)\Password Safe\pwsafe.exe -s [2014-2-7 4425728]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 1079584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0010412]
IME File	REG_SZ imkr80.ime
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 LiveUpdateSvc;LiveUpdate;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe;c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.exe [x]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdnserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxdnserv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys;c:\windows\SYSNATIVE\drivers\btusbflt.sys [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys;c:\windows\SYSNATIVE\DRIVERS\rcmirror.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys;c:\windows\SYSNATIVE\DRIVERS\vidsflt.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys;c:\windows\SYSNATIVE\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys;c:\windows\SYSNATIVE\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys;c:\windows\SYSNATIVE\DRIVERS\cmdhlp.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
S2 BcmBtRSupport;Bluetooth Driver Management Service;c:\windows\system32\BtwRSupportService.exe;c:\windows\SYSNATIVE\BtwRSupportService.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [x]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 GsServer;GoodSync Server;c:\program files\Siber Systems\GoodSync\Gs-Server.exe;c:\program files\Siber Systems\GoodSync\Gs-Server.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe;c:\windows\SYSNATIVE\lxdncoms.exe [x]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 StrongVPN Service;StrongVPN Service;c:\program files (x86)\StrongVPN\StrongService.exe;c:\program files (x86)\StrongVPN\StrongService.exe [x]
S2 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
S3 bcbtums;Bluetooth USB LD Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]
S3 btwampfl;btwampfl;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
S3 tapstrong;StrongVPN Adapter;c:\windows\system32\DRIVERS\tapstrong.sys;c:\windows\SYSNATIVE\DRIVERS\tapstrong.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-11 13:48]
.
2014-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 10:10]
.
2014-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 10:10]
.
2014-07-02 c:\windows\Tasks\Start Driver Reviver for [email protected](logon).job
- c:\program files\ReviverSoft\Driver Reviver\DriverReviver.exe [2013-09-10 08:36]
.
2014-07-02 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 89d96e21-0900-4f2a-9d96-c2751ce3503a.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2014-07-02 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task b28be43d-0e44-486f-8b61-f2e15d77c340.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}]
2013-11-15 12:17	842408	----a-w-	c:\program files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-06-19 11:10	2335960	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-06-19 11:10	2335960	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-06-19 11:10	2335960	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2013-03-27 13:37	2818800	----a-w-	c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2013-03-27 13:37	2818800	----a-w-	c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2013-03-27 13:37	2818800	----a-w-	c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2013-07-23 13632216]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"EzPrint"="c:\program files (x86)\Lexmark 2600 Series\ezprint.exe" [2010-02-04 107176]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-02-15 516928]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2014-03-25 1275608]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2013-09-12 5618456]
"lxdnmon.exe"="c:\program files (x86)\Lexmark 2600 Series\lxdnmon.exe" [2010-02-04 660136]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mentalfloss.com/
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:21320
uSearchAssistant = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/
Trusted Zone: brs-llc.com\tess
Trusted Zone: google.com\mail
TCP: DhcpNameServer = 168.126.63.1 168.126.63.2
TCP: Interfaces\{71954841-135B-4F40-A9CD-043CD2C0A4F6}: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{722ED704-906C-46A6-8370-CBEB7A9BB0F6}: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B20273131313: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B273130343: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0}: NameServer = 0.0.0.0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{29ACDA07-0CAD-4751-B3A4-3E03C5F74673} - c:\program files (x86)\ParetoLogic\Privacy Controls\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA}*]
@Allowed: (Read) (RestrictedCode)
"pafkmehmkdelemggbhfhgjapmlnhikgh"=hex:6a,61,69,63,68,66,69,6c,67,68,69,68,64,
67,63,62,6e,6e,62,61,00,fe
"oaljfaiaepegjnjbecnjoalgpbejho"=hex:6a,61,69,63,68,66,69,6c,67,68,69,68,64,67,
63,62,6e,6e,62,61,00,01
.
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD}*]
"oaldbhnlbajenibdaggbjkedjdfoll"=hex:6a,61,67,67,63,6c,62,6e,66,64,6b,6d,6e,61,
6d,65,6e,68,64,67,00,01
"pajgppcmeiofjeglegmkcdcpdeeadlnn"=hex:69,61,65,67,66,6c,6c,63,61,69,6c,6a,69,
70,66,64,6b,6e,00,77
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\COMODO\CIS\Installer\Sym_Cam\CIS]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\cmdAgent\Mode\Configurations]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\cmdAgent\Mode\Data]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\cmdAgent\Mode\Options]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\Software\COMODO\Cam]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\Software\COMODO\Firewall Pro]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Password Safe\pwsafe.exe
c:\programdata\FLEXnet\Connect\11\agent.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\program files\Microsoft Office 15\Root\Office15\MsoSync.exe
.
**************************************************************************
.
Completion time: 2014-07-02 20:44:13 - machine was rebooted
ComboFix-quarantined-files.txt 2014-07-02 11:44
.
Pre-Run: 198,438,703,104 bytes free
Post-Run: 198,223,212,544 bytes free
.
- - End Of File - - 033718E7C2536C1FA20B8A2956877CE2

RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Carl [Admin rights]
Mode : Scan -- Date : 07/02/2014 21:29:12

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 17 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:21320 -> FOUND
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : localhost:21320 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 168.126.63.1 168.126.63.2 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 168.126.63.1 168.126.63.2 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 168.126.63.1 168.126.63.2 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0} | DhcpNameServer : 168.126.63.1 168.126.63.2 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0} | NameServer : 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0} | DhcpNameServer : 168.126.63.1 168.126.63.2 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0} | NameServer : 0.0.0.0 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0} | DhcpNameServer : 168.126.63.1 168.126.63.2 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0} | NameServer : 0.0.0.0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 9 ¤¤¤
[Suspicious.Path] \\{133921E2-2021-4B45-8F53-90BD3987A7B9} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\55WMBKZJ\Install_CopyTrans_Suite[1].exe" -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DJMOX98\HijackThis.exe" -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{87807F17-6F61-4AC5-AE01-5BF05D7083C6} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Carl\Desktop\Itunes_Dup_Remover.exe -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5MSJCOH\IE8-Setup-Full[1].exe" -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{B3921F06-F64C-4E56-892D-7D6EF43CF2BB} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Carl\Desktop\FTMWorkshop.exe -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Carl\Desktop\DNS 12 Premimum - Install.exe" -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Carl\Desktop\SoftickPPP303-en.exe -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Carl\Downloads\Byki4_Korean_BykiPod2.exe -d C:\Users\Carl\Desktop) -> FOUND
[Suspicious.Path] \\{FC711627-AC4C-4C2E-B888-A81CB9874A26} -- C:\Windows\system32\pcalua.exe (-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BBKJ7UV0\SetupBtwDownloadSE.exe" -d C:\Users\Carl\Desktop) -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] dd6967e897e9549401c89a8d9f38da4a
[BSP] dea9defa67a18cc486b8c709b2ee22f0 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 101 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 208845 | Size: 15000 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30928845 | Size: 461837 MB
User = LL1 ... OK
User = LL2 ... OK


----------



## referee07 (Sep 11, 2003)

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-07-02 21:52:59
-----------------------------
21:52:59.310 OS Version: Windows x64 6.1.7601 Service Pack 1
21:52:59.310 Number of processors: 4 586 0x2505
21:52:59.311 ComputerName: DELLNOTEBOOK UserName: Carl
21:55:00.951 Initialize success
21:55:02.157 VM: initialized successfully
21:55:02.408 VM: Intel CPU supported 
21:55:19.233 VM: supported disk I/O iaStor.sys
22:03:29.681 AVAST engine defs: 14070200
22:06:37.536 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:06:37.539 Disk 0 Vendor: ST950032 D005 Size: 476940MB BusType: 3
22:06:37.693 VM: Disk 0 MBR read successfully
22:06:37.696 Disk 0 MBR scan
22:06:37.843 Disk 0 Windows VISTA default MBR code
22:06:37.847 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63
22:06:37.874 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 208845
22:06:37.885 Disk 0 Boot: NTFS code=1
22:06:37.913 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461837 MB offset 30928845
22:06:38.421 Disk 0 scanning C:\Windows\system32\drivers
22:07:25.074 Service scanning
22:09:22.343 Modules scanning
22:09:22.350 Disk 0 trace - called modules:
22:09:22.380 ntoskrnl.exe CLASSPNP.SYS disk.sys vidsflt.sys iaStor.sys 
22:09:22.385 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c37790]
22:09:22.391 3 CLASSPNP.SYS[fffff88001d0a43f] -> nt!IofCallDriver -> [0xfffffa8004adfb40]
22:09:22.396 5 vidsflt.sys[fffff88000fd45f1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004942050]
22:09:25.967 AVAST engine scan C:\Windows
22:09:40.681 AVAST engine scan C:\Windows\system32
22:22:31.182 AVAST engine scan C:\Windows\system32\drivers
22:23:14.864 AVAST engine scan C:\Users\Carl
22:48:12.712 AVAST engine scan C:\ProgramData
22:59:52.747 Scan finished successfully
23:02:00.470 Disk 0 MBR has been saved successfully to "C:\Users\Carl\Desktop\MBR.dat"
23:02:00.470 The log file has been saved successfully to "C:\Users\Carl\Desktop\aswMBR.txt"

I could not run the Kaspersky TDSS Killer. When I tried to download the program, I got a message that the COMODO Firewall was preventing it, but I had stopped the program.


----------



## eddie5659 (Mar 19, 2001)

Yep, feeling a lot better thanks  It was a bit painful for a few days, but now its like I haven't had it. Have the Crown to add in 3 months, yay 

Thats fine about the Advance System Care, as once we're nice and clean, you can reinstall it as you like the program 



> I also ran Adw Cleaner after I uninstalled the IObit programs and now I find that the Google Toolbar is no longer there, even when I right-click the IE toolbar area


Some of the automated tools removes toolbars as they may get installed without the user realising. Again, once you're all clear, get it from here:

http://www.google.com/toolbar/ie/index.html

Thanks for letting me know about Registry Reviver, we can look for remains as well for that tool.



> When I ran the ComboFix program, the icon for the Password Safe program would open in the System Tray.


Combofix closes all running processes in case any malware etc is using it. It may have done something smililar with Password Safe. Is it running okay now?



> I could not run the Kaspersky TDSS Killer. When I tried to download the program, I got a message that the COMODO Firewall was preventing it, but I had stopped the program.


Its okay about that tool, we'll leave that for now. Got plenty to work on for the moment.

------------------------------------------

ESET NOD32 Antivirus 7.0
COMODO Antivirus

Only one antivirus is recommended to use, so if one is paid for and the other isn't, you may want to keep the paid one 

Do you use a Proxy? If not, we'll remove the entries, but just thought I'd double-check first.

========================================

Okay, have a few things we need to look at, then after that, we can look at remains etc of the things we've removed, and get a scan of tdsskiller amongst some other tools 

There are some files that ComboFix deleted, and I need to know a bit more about them. Can you do this for me:

Download suspicious file packer from http://www.safer-networking.org/files/sfp.zip

Unzip it to desktop, open it & paste in the contents of the quote box below, press next & it will create an archive (zip/cab file) on desktop.



> *
> C:\Qoobox\Quarantine\C\WindowsVIVALDII.tt2
> C:\Qoobox\Quarantine\C\WindowsHARLOWSI.tt2
> *


Please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files.

Just Register, press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file.

Let me know when its uploaded 

================================

The following files etc I'm posting in this bit may be legit, but again, prefer to be certain:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
*pafkmehmkdelemggbhfhgjapmlnhikgh*.*
*oaljfaiaepegjnjbecnjoalgpbejho*.*
*oaldbhnlbajenibdaggbjkedjdfoll*.*
*pajgppcmeiofjeglegmkcdcpdeeadlnn*.*
:folderfind
*pafkmehmkdelemggbhfhgjapmlnhikgh*
*oaljfaiaepegjnjbecnjoalgpbejho*
*oaldbhnlbajenibdaggbjkedjdfoll*
*pajgppcmeiofjeglegmkcdcpdeeadlnn*
:file
C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found at on your Desktop entitled *SystemLook.txt*

=======================================
Then, using *OTL* Can you run the following scan for me:

Run *OTL*

Hit *None* button.
Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
type C:\Windows\SysNative\tasks\{0267CD9A-2EE3-4FF8-AB57-1D1DE57B014F} /c
type C:\Windows\SysNative\tasks\{133921E2-2021-4B45-8F53-90BD3987A7B9} /c
type C:\Windows\SysNative\tasks\{153E0C11-AB59-4403-A009-C84D5BC3296D} /c
type C:\Windows\SysNative\tasks\{271A9AA8-2C75-4F2C-9052-5597FB25E7B5} /c
type C:\Windows\SysNative\tasks\{378D9E73-23D0-42F8-A7D1-645D978E8C33} /c
type C:\Windows\SysNative\tasks\{38D3AC7C-20C2-4AE9-BED7-3A45570C6259} /c
type C:\Windows\SysNative\tasks\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8} /c
type C:\Windows\SysNative\tasks\{6ACD8BB2-F9CD-44D0-A4A7-B1E2F26AE0BF} /c
type C:\Windows\SysNative\tasks\{72E857CF-7393-4941-8587-00798EC27D64} /c
type C:\Windows\SysNative\tasks\{7AD110DA-341A-4DBE-BDF3-9AEE42414B7B} /c
type C:\Windows\SysNative\tasks\{80BC2314-73C6-4E2C-B4B4-4F6CBF187835} /c
type C:\Windows\SysNative\tasks\{87807F17-6F61-4AC5-AE01-5BF05D7083C6} /c
type C:\Windows\SysNative\tasks\{918D5FBF-014E-4809-BA84-A238F18A392E} /c
type C:\Windows\SysNative\tasks\{A910FFBD-B08A-4594-A1E5-399A702FCC3B} /c
type C:\Windows\SysNative\tasks\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9} /c
type C:\Windows\SysNative\tasks\{B3921F06-F64C-4E56-892D-7D6EF43CF2BB} /c
type C:\Windows\SysNative\tasks\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609} /c
type C:\Windows\SysNative\tasks\{D89F63B8-51E8-4C59-9229-317F503BA789} /c
type C:\Windows\SysNative\tasks\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1} /c
type C:\Windows\SysNative\tasks\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD} /c
type C:\Windows\SysNative\tasks\{FC711627-AC4C-4C2E-B888-A81CB9874A26} /c
```

Hit *Run Scan* button.

Thanks

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, first of all, glad you're feeling better after your oral surgery. Secondly, thanks again for the help.



> When I ran the ComboFix program, the icon for the Password Safe program would open in the System Tray.


I didn't have Password Safe open when I ran ComboFix. The ComboFix icon appeared in the System Tray and wouldn't close by left-clicking on the icon and choosing "close." 


> ESET NOD32 Antivirus 7.0
> COMODO Antivirus
> 
> Only one antivirus is recommended to use, so if one is paid for and the other isn't, you may want to keep the paid one
> ...


I thought I only had the ESET NOD32 running. I thought that COMODO was only the firewall. I really only want ESET NOD32 as the anti-virus program on my computer.

I went to the MBAM Spy Killer Forum and hopefully supplied the info you requested.

Please see below for the logs that you requested:

SystemLook 30.07.11 by jpshortstuff
Log created at 11:53 on 04/07/2014 by Carl
Administrator - Elevation successful

========== filefind ==========

Searching for "*pafkmehmkdelemggbhfhgjapmlnhikgh*.*"
No files found.

Searching for "*oaljfaiaepegjnjbecnjoalgpbejho*.*"
No files found.

Searching for "*oaldbhnlbajenibdaggbjkedjdfoll*.*"
No files found.

Searching for "*pajgppcmeiofjeglegmkcdcpdeeadlnn*.*"
No files found.

========== folderfind ==========

Searching for "*pafkmehmkdelemggbhfhgjapmlnhikgh*"
No folders found.

Searching for "*oaljfaiaepegjnjbecnjoalgpbejho*"
No folders found.

Searching for "*oaldbhnlbajenibdaggbjkedjdfoll*"
No folders found.

Searching for "*pajgppcmeiofjeglegmkcdcpdeeadlnn*"
No folders found.

========== file ==========

C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads - Unable to find/read file.

-= EOF =-
==========================================================================================
OTL logfile created on: 7/4/2014 12:00:31 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Carl\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17126)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.80 Gb Total Physical Memory | 0.63 Gb Available Physical Memory | 16.66% Memory free
7.60 Gb Paging File | 4.31 Gb Available in Paging File | 56.68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 451.01 Gb Total Space | 184.19 Gb Free Space | 40.84% Space Free | Partition Type: NTFS

Computer Name: DELLNOTEBOOK | User Name: Carl | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/06/25 22:25:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe
PRC - [2014/06/19 20:02:49 | 018,935,976 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
PRC - [2014/05/25 19:22:49 | 000,109,784 | ---- | M] (Siber Systems) -- C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2014/05/21 19:22:08 | 002,135,232 | ---- | M] () -- C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
PRC - [2014/05/08 22:48:38 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2014/04/29 18:22:01 | 000,097,776 | ---- | M] (Black Oak Computers, Inc.) -- C:\Program Files (x86)\StrongVPN\StrongService.exe
PRC - [2014/04/29 18:21:59 | 001,666,544 | ---- | M] (Black Oak Computers, Inc.) -- C:\Program Files (x86)\StrongVPN\StrongDial.exe
PRC - [2014/02/12 20:57:54 | 000,043,848 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
PRC - [2014/02/07 17:06:44 | 004,425,728 | ---- | M] (SourceForge.net) -- C:\Program Files (x86)\Password Safe\pwsafe.exe
PRC - [2013/10/13 12:19:08 | 003,783,672 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
PRC - [2013/09/12 12:06:22 | 001,337,752 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
PRC - [2013/07/25 17:47:00 | 001,985,824 | ---- | M] (Wondershare) -- C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
PRC - [2013/05/16 10:59:00 | 003,830,224 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
PRC - [2013/05/16 10:56:30 | 001,817,560 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2013/05/15 13:21:32 | 000,171,928 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2013/03/27 22:33:02 | 006,365,920 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2013/03/20 19:28:20 | 007,084,672 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
PRC - [2013/01/10 14:12:20 | 001,103,424 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
PRC - [2012/07/18 22:07:06 | 000,310,232 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
PRC - [2011/10/12 23:11:34 | 002,068,856 | ---- | M] (Flexera Software LLC.) -- C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
PRC - [2011/10/12 23:11:32 | 001,446,264 | ---- | M] (Flexera Software LLC.) -- C:\ProgramData\FLEXnet\Connect\11\agent.exe
PRC - [2011/05/28 19:39:11 | 000,273,544 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
PRC - [2011/04/15 13:18:06 | 001,646,056 | ---- | M] (Rosetta Stone Ltd.) -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
PRC - [2010/11/24 00:08:22 | 001,660,232 | ---- | M] (Bootstrap Software Development) -- C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe
PRC - [2010/08/20 09:06:56 | 000,487,562 | ---- | M] (Creative Technology Ltd) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
PRC - [2010/07/02 05:10:26 | 002,533,400 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2010/07/02 05:10:22 | 000,325,656 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
PRC - [2010/03/03 20:16:06 | 000,013,336 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2010/02/04 13:05:56 | 000,107,176 | ---- | M] (Lexmark International Inc.) -- C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe
PRC - [2010/02/04 13:05:54 | 000,660,136 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe
PRC - [2009/10/15 18:10:28 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
PRC - [2009/07/01 18:54:04 | 000,013,600 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe

========== Modules (No Company Name) ==========

MOD - [2014/06/19 20:09:33 | 008,890,536 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\1033\GrooveIntlResource.dll
MOD - [2014/06/19 20:01:19 | 001,032,360 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\ADDINS\UmOutlookAddin.dll
MOD - [2014/06/19 17:12:58 | 000,316,584 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\appvisvstream32.dll
MOD - [2014/05/24 11:56:51 | 000,321,704 | ---- | M] () -- C:\Program Files\Microsoft Office 15\root\office15\msfad.dll
MOD - [2014/05/20 16:54:40 | 006,611,456 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\dbc236ca6655e4e3839ee4f802eb3f99\System.Data.ni.dll
MOD - [2014/02/14 07:37:54 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b34b348a9935338b1282fd0c9309eb1f\System.ServiceProcess.ni.dll
MOD - [2014/02/14 07:36:35 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\8bc548587e91ecf0552a40e47bbf99cc\System.Windows.Forms.ni.dll
MOD - [2014/02/14 07:35:48 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5c24d3b0041ebf4f48a93615b9fa3de9\System.Drawing.ni.dll
MOD - [2014/02/14 07:35:40 | 000,688,640 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\f6db4a5f721a164ce945d0a28f2ca7bd\System.Security.ni.dll
MOD - [2014/02/14 07:35:32 | 005,464,064 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\217ece46920546d718414291d463bb1c\System.Xml.ni.dll
MOD - [2014/02/14 07:35:27 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\73ce00cfab52d23ca89457490fd5ef9a\System.Configuration.ni.dll
MOD - [2014/02/14 07:34:53 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b3a78269847005365001c33870cd121f\System.ni.dll
MOD - [2014/02/14 07:34:45 | 011,499,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ede2c6c842840e009f01bcc74fa4c457\mscorlib.ni.dll
MOD - [2014/01/20 13:17:04 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014/01/20 13:16:40 | 000,237,384 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxslt.dll
MOD - [2014/01/20 13:16:38 | 001,044,808 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013/09/05 00:14:10 | 004,300,456 | ---- | M] () -- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2013/07/24 09:24:52 | 000,137,728 | ---- | M] () -- C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
MOD - [2013/06/28 05:12:40 | 000,093,696 | ---- | M] () -- C:\Program Files (x86)\FileZilla FTP Client\fzshellext.dll
MOD - [2013/05/16 10:55:28 | 000,161,112 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
MOD - [2013/05/16 10:55:26 | 000,113,496 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
MOD - [2013/05/16 10:55:24 | 000,416,600 | ---- | M] () -- C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
MOD - [2010/11/05 10:58:05 | 002,927,616 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/02/04 13:05:54 | 000,660,136 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe
MOD - [2009/10/15 18:10:28 | 000,498,160 | ---- | M] () -- C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
MOD - [2009/07/24 00:49:04 | 000,782,336 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdndrs.dll
MOD - [2009/07/24 00:48:28 | 000,380,928 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdnscw.dll
MOD - [2009/05/14 18:46:40 | 000,081,920 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdncaps.dll
MOD - [2007/10/12 23:24:46 | 000,364,544 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\iptk.dll
MOD - [2007/10/02 19:51:09 | 000,069,632 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdncnv4.dll
MOD - [2007/05/29 12:39:08 | 000,589,824 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdndatr.dll
MOD - [2007/03/26 12:39:35 | 000,073,728 | ---- | M] () -- C:\Program Files (x86)\Lexmark 2600 Series\lxdncats.dll

========== Services (SafeList) ==========

SRV:*64bit:* - [2014/05/30 18:21:05 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:*64bit:* - [2014/05/21 03:28:26 | 002,279,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe -- (ClickToRunSvc)
SRV:*64bit:* - [2014/04/17 06:12:45 | 006,817,544 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:*64bit:* - [2014/03/26 04:22:18 | 002,264,280 | ---- | M] (COMODO) [On_Demand | Stopped] -- C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe -- (cmdvirth)
SRV:*64bit:* - [2014/02/15 02:38:42 | 008,117,904 | ---- | M] () [Auto | Running] -- C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe -- (GsServer)
SRV:*64bit:* - [2013/10/28 18:02:18 | 002,255,064 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Windows\SysNative\BtwRSupportService.exe -- (BcmBtRSupport)
SRV:*64bit:* - [2013/09/12 12:06:22 | 001,337,752 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV:*64bit:* - [2013/05/27 14:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:*64bit:* - [2012/07/12 03:54:58 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:*64bit:* - [2010/09/23 09:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV:*64bit:* - [2010/03/06 01:26:38 | 001,425,168 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng)
SRV:*64bit:* - [2010/03/06 01:07:58 | 000,340,240 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe -- (MyWiFiDHCPDNS)
SRV:*64bit:* - [2010/03/06 01:06:22 | 000,831,760 | ---- | M] (Intel(R) Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc)
SRV:*64bit:* - [2009/11/18 11:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV:*64bit:* - [2009/07/01 18:54:02 | 000,864,032 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV:*64bit:* - [2009/04/28 14:58:52 | 000,029,184 | ---- | M] () [Auto | Stopped] -- C:\Windows\SysNative\spool\DRIVERS\x64\3\\lxdnserv.exe -- (lxdnCATSCustConnectService)
SRV:*64bit:* - [2007/11/28 19:51:42 | 001,039,872 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysNative\lxdncoms.exe -- (lxdn_device)
SRV - [2014/05/21 19:22:08 | 002,135,232 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe -- (DragonUpdater)
SRV - [2014/05/14 22:48:49 | 000,257,712 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/05/08 22:48:38 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2014/05/04 16:37:30 | 002,152,736 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe -- (LiveUpdateSvc)
SRV - [2014/04/29 18:22:01 | 000,097,776 | ---- | M] (Black Oak Computers, Inc.) [Auto | Running] -- C:\Program Files (x86)\StrongVPN\StrongService.exe -- (StrongVPN Service)
SRV - [2013/10/23 08:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/10/13 12:19:08 | 003,783,672 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2013/03/20 19:28:20 | 007,084,672 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe -- (syncagentsrv)
SRV - [2013/02/15 13:01:52 | 001,143,720 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2012/07/18 22:07:06 | 000,310,232 | ---- | M] (Nuance Communications, Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe -- (DragonSvc)
SRV - [2011/04/17 10:57:28 | 000,013,160 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe -- (GoToAssist)
SRV - [2011/04/15 13:18:06 | 001,646,056 | ---- | M] (Rosetta Stone Ltd.) [Auto | Running] -- C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe -- (RosettaStoneDaemon)
SRV - [2010/07/02 05:10:26 | 002,533,400 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2010/07/02 05:10:22 | 000,325,656 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2010/03/03 20:16:06 | 000,013,336 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2010/01/30 00:40:16 | 001,043,584 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\digital imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2009/06/11 06:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/04/28 14:58:52 | 000,029,184 | ---- | M] () [Auto | Stopped] -- C:\Windows\system32\spool\DRIVERS\x64\3\\lxdnserv.exe -- (lxdnCATSCustConnectService)
SRV - [2007/11/28 19:12:40 | 000,589,824 | ---- | M] ( ) [Auto | Running] -- C:\Windows\SysWOW64\lxdncoms.exe -- (lxdn_device)

========== Driver Services (SafeList) ==========

DRV:*64bit:* - [2014/04/17 06:12:55 | 000,023,168 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:*64bit:* - [2013/10/28 18:02:16 | 000,170,712 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bcbtums.sys -- (bcbtums)
DRV:*64bit:* - [2013/10/13 12:19:15 | 000,367,200 | ---- | M] (Acronis) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:*64bit:* - [2013/10/13 12:18:59 | 001,462,560 | ---- | M] (Acronis International GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tdrpman.sys -- (tdrpman)
DRV:*64bit:* - [2013/10/13 12:18:44 | 000,183,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tib_mounter.sys -- (tib_mounter)
DRV:*64bit:* - [2013/10/13 12:18:42 | 001,120,032 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tib.sys -- (tib)
DRV:*64bit:* - [2013/10/13 12:18:29 | 000,161,568 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vididr.sys -- (vididr)
DRV:*64bit:* - [2013/10/13 12:18:12 | 000,117,024 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vidsflt.sys -- (vidsflt)
DRV:*64bit:* - [2013/10/13 12:18:04 | 000,233,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:*64bit:* - [2013/10/13 12:17:57 | 000,108,832 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\fltsrv.sys -- (fltsrv)
DRV:*64bit:* - [2013/09/17 15:17:38 | 000,239,320 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm)
DRV:*64bit:* - [2013/09/17 15:17:38 | 000,168,256 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv)
DRV:*64bit:* - [2013/09/17 15:17:38 | 000,157,432 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV:*64bit:* - [2013/08/10 20:13:31 | 000,035,520 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tapstrong.sys -- (tapstrong)
DRV:*64bit:* - [2013/08/09 20:02:14 | 000,166,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwampfl.sys -- (btwampfl)
DRV:*64bit:* - [2013/07/05 04:00:56 | 011,530,992 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NETwsw00.sys -- (NETwNs64)
DRV:*64bit:* - [2013/05/13 15:36:06 | 000,050,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:*64bit:* - [2013/03/25 14:41:46 | 000,076,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d)
DRV:*64bit:* - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:*64bit:* - [2012/12/09 23:33:41 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:*64bit:* - [2012/12/09 23:33:40 | 000,057,856 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:*64bit:* - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:*64bit:* - [2012/07/20 20:49:00 | 000,036,736 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\tap0901.sys -- (tap0901)
DRV:*64bit:* - [2012/03/01 15:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:*64bit:* - [2011/08/24 06:12:57 | 000,317,440 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud)
DRV:*64bit:* - [2011/07/23 01:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:*64bit:* - [2011/07/13 06:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:*64bit:* - [2011/05/13 03:21:04 | 000,177,640 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdm.sys -- (ssadmdm)
DRV:*64bit:* - [2011/05/13 03:21:04 | 000,146,920 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadserd.sys -- (ssadserd)
DRV:*64bit:* - [2011/05/13 03:21:02 | 000,157,672 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadbus.sys -- (ssadbus)
DRV:*64bit:* - [2011/05/13 03:21:02 | 000,036,328 | ---- | M] (Google Inc) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadadb.sys -- (androidusb)
DRV:*64bit:* - [2011/05/13 03:21:02 | 000,016,872 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssadmdfl.sys -- (ssadmdfl)
DRV:*64bit:* - [2011/03/11 15:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:*64bit:* - [2011/03/11 15:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:*64bit:* - [2010/11/20 22:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:*64bit:* - [2010/10/29 16:11:42 | 000,250,984 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RtsUStor.sys -- (RSUSBSTOR)
DRV:*64bit:* - [2010/08/13 01:51:30 | 000,175,168 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\CtClsFlt.sys -- (CtClsFlt)
DRV:*64bit:* - [2010/07/20 22:40:38 | 010,603,904 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:*64bit:* - [2010/05/07 19:44:32 | 000,321,584 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:*64bit:* - [2010/04/14 01:01:44 | 000,054,824 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:*64bit:* - [2010/03/18 15:21:58 | 007,680,512 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\NETw5s64.sys -- (NETw5s64)
DRV:*64bit:* - [2010/03/04 12:51:40 | 000,540,696 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:*64bit:* - [2010/02/27 22:02:12 | 000,158,976 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:*64bit:* - [2010/01/18 16:40:26 | 000,004,608 | ---- | M] (Windows (R) Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rcmirror.sys -- (rcmirror)
DRV:*64bit:* - [2009/12/23 02:18:50 | 000,074,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:*64bit:* - [2009/09/18 05:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:*64bit:* - [2009/07/15 14:56:20 | 000,132,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:*64bit:* - [2009/07/15 14:56:20 | 000,098,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:*64bit:* - [2009/07/15 14:56:20 | 000,035,104 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwl2cap.sys -- (btwl2cap)
DRV:*64bit:* - [2009/07/15 14:56:16 | 000,021,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\btwrchid.sys -- (btwrchid)
DRV:*64bit:* - [2009/07/14 10:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:*64bit:* - [2009/07/14 10:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:*64bit:* - [2009/07/14 10:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:*64bit:* - [2009/07/09 18:00:00 | 000,055,280 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:*64bit:* - [2009/06/11 05:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:*64bit:* - [2009/06/11 05:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:*64bit:* - [2009/06/11 05:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:*64bit:* - [2009/06/11 05:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:*64bit:* - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV:*64bit:* - [2006/11/02 03:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
DRV - [2009/07/14 10:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:*64bit:* - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:*64bit:* - HKLM\..\SearchScopes\{860629A3-1AA9-4E10-B54B-D38AC282143A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com/
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{86D5D4B2-7CCD-4A4F-9995-6762EEFD03A2}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mentalfloss.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co.kr/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGHP_enJP423
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF:*64bit:* - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF:*64bit:* - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.60.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.60.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Lync,version=15.0: C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@palmsource.com/installer,version=1.0: C:\PROGRA~2\Palm\PACKAG~1\NPInstal.dll ()
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.652: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.647: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\nuance.com/DragonRIAPlugin: C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\npDgnRia.dll (Nuance Communications Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Carl\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\MOZILLA THUNDERBIRD [2014/05/04 22:54:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2014/05/26 20:42:47 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2012/07/18 21:54:16 | 000,136,026 | ---- | M] ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2014/05/04 22:54:37 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2014/07/02 20:31:27 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:*64bit:* - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O2:*64bit:* - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O2:*64bit:* - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
O2:*64bit:* - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
O2:*64bit:* - BHO: (PrivDog Extension) - {FB16E5C3-A9E2-47A2-8EFC-319E775E62CC} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll (AdTrustMedia)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation)
O2 - BHO: (RoboForm Toolbar Helper) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll File not found
O3:*64bit:* - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (&RoboForm Toolbar) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3:*64bit:* - HKCU\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm Toolbar) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4:*64bit:* - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:*64bit:* - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cistray.exe (COMODO)
O4:*64bit:* - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4:*64bit:* - HKLM..\Run: [EzPrint] C:\Program Files (x86)\Lexmark 2600 Series\ezprint.exe (Lexmark International Inc.)
O4:*64bit:* - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:*64bit:* - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:*64bit:* - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel(R) Corporation)
O4:*64bit:* - HKLM..\Run: [lxdnmon.exe] C:\Program Files (x86)\Lexmark 2600 Series\lxdnmon.exe ()
O4:*64bit:* - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:*64bit:* - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AcronisTibMounterMonitor] C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [Aimersoft Helper Compact.exe] C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe (AimerSoft)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [BSDAppUpdater] C:\Program Files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe (Bootstrap Software Development)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe ()
O4 - HKLM..\Run: [DNS7reminder] C:\Program Files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [HOfficeViewerUpdate] C:\Program Files (x86)\HNC\HOfficeViewer80\HncUtils\HncViewerChecker.exe (Hancom Inc(HNC).)
O4 - HKLM..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\isuspm.exe (Flexera Software LLC.)
O4 - HKLM..\Run: [SDTray] C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe (Wondershare)
O4 - HKCU..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Flexera Software LLC.)
O4 - HKCU..\Run: [RoboForm] C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKCU..\Run: [StrongVPN Client] C:\Program Files (x86)\StrongVPN\StrongDial.exe (Black Oak Computers, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware)
O4 - Startup: C:\Users\Carl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Password Safe.lnk = C:\Program Files (x86)\Password Safe\pwsafe.exe (SourceForge.net)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9:*64bit:* - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:*64bit:* - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:*64bit:* - Extra Button: PrivDog - {2F5C139F-79BD-4C84-A95A-E7140525BC55} - C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll (AdTrustMedia)
O9:*64bit:* - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:*64bit:* - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:*64bit:* - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform-x64.dll (Siber Systems Inc.)
O9:*64bit:* - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:*64bit:* - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:*64bit:* - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9:*64bit:* - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: Show Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra 'Tools' menuitem : Show RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10:*64bit:* - NameSpace_Catalog5\Catalog_Entries64\000000000010 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000010 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: brs-llc.com ([tess] https in Trusted sites)
O15 - HKCU\..Trusted Domains: google.com ([mail] https in Trusted sites)
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} https://h50203.www5.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB (Hewlett-Packard Online Support Services)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} https://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab (GMNRev Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 168.126.63.1 168.126.63.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{637AC0A6-E97F-4DD3-BC08-96932D7654D0}: DhcpNameServer = 168.126.63.1 168.126.63.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{71954841-135B-4F40-A9CD-043CD2C0A4F6}: NameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{722ED704-906C-46A6-8370-CBEB7A9BB0F6}: NameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7CF4ED4E-F7DF-4E4A-96F1-D2B07E5E91D0}: NameServer = 216.169.129.2 216.169.130.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0}: NameServer = 0.0.0.0
O20:*64bit:* - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:*64bit:* - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:*64bit:* - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll) - C:\Program Files (x86)\Citrix\GoToAssist\615\g2awinlogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20:*64bit:* - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:*64bit:* - HKLM\..comfile [open] -- "%1" %*
O35:*64bit:* - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:*64bit:* - HKLM\...com [@ = ComFile] -- "%1" %*
O37:*64bit:* - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/07/02 21:51:41 | 005,185,536 | ---- | C] (AVAST Software) -- C:\Users\Carl\Desktop\aswmbr.exe
[2014/07/02 21:49:38 | 000,000,000 | ---D | C] -- C:\Users\Carl\AppData\Local\CrashDumps
[2014/07/02 21:17:54 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2014/07/02 20:44:35 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014/07/02 19:08:40 | 000,000,000 | ---D | C] -- C:\username123
[2014/07/01 22:24:11 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2014/07/01 22:24:11 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2014/07/01 22:24:11 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2014/07/01 22:20:08 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/07/01 22:19:16 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2014/07/01 22:16:40 | 005,212,874 | R--- | C] (Swearware) -- C:\Users\Carl\Desktop\username123.exe
[2014/06/29 14:08:11 | 000,000,000 | ---D | C] -- C:\Users\Carl\AppData\Roaming\IObit
[2014/06/27 21:24:36 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/06/27 21:06:15 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/06/25 22:25:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe
[2014/06/25 22:16:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2014/06/25 22:16:14 | 000,264,616 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/06/25 22:16:04 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/06/25 22:16:04 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/06/25 22:16:04 | 000,098,216 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/06/25 22:16:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/06/21 10:41:54 | 000,000,000 | ---D | C] -- C:\Windows\tasks\ImCleanDisabled
[2014/06/21 10:16:20 | 000,000,000 | ---D | C] -- C:\Users\Carl\AppData\Local\Adobe
[2014/06/15 11:01:00 | 000,000,000 | ---D | C] -- C:\FRST
[2014/06/14 08:11:51 | 000,801,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\usp10.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml6r.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml6r.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msxml3r.dll
[2014/06/14 08:11:44 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msxml3r.dll
[2014/06/14 08:10:37 | 000,069,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/06/14 08:10:37 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieetwproxystub.dll
[2014/06/14 08:10:36 | 000,592,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript9diag.dll
[2014/06/14 08:10:33 | 000,048,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwproxystub.dll
[2014/06/14 08:10:33 | 000,038,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\JavaScriptCollectionAgent.dll
[2014/06/14 08:10:33 | 000,032,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
[2014/06/14 08:10:29 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2014/06/14 08:10:28 | 001,964,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2014/06/14 08:10:27 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2014/06/14 08:10:27 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollectorres.dll
[2014/06/14 08:10:26 | 000,631,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2014/06/14 08:10:26 | 000,452,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2014/06/14 08:10:26 | 000,440,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2014/06/14 08:10:26 | 000,111,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieetwcollector.exe
[2014/06/14 08:10:23 | 000,608,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2014/06/14 08:10:23 | 000,066,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2014/06/14 08:10:21 | 002,040,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2014/06/14 08:10:21 | 001,068,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmlmedia.dll
[2014/06/14 08:10:20 | 000,704,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll
[2014/06/14 08:10:20 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2014/06/14 08:10:18 | 000,164,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2014/06/14 08:10:18 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2014/06/14 08:10:17 | 000,574,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2014/06/14 08:10:17 | 000,295,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2014/06/14 08:10:14 | 005,782,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2014/06/14 08:10:14 | 001,249,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmlmedia.dll
[2014/06/14 08:10:14 | 000,752,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9diag.dll
[2014/06/14 08:10:14 | 000,139,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2014/06/14 08:10:14 | 000,085,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/06/14 08:10:13 | 000,548,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2014/06/14 08:10:12 | 000,846,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll
[2014/06/14 08:10:12 | 000,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2014/06/14 08:10:11 | 000,940,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\MsSpellCheckingFacility.exe
[2014/06/12 20:14:23 | 003,178,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rdpcorets.dll
[2014/06/12 20:14:23 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RdpGroupPolicyExtension.dll
[2014/06/12 20:10:32 | 000,506,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/06/12 20:10:22 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/06/11 19:51:36 | 000,288,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\FWPKCLNT.SYS
[2014/06/07 12:02:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/06/07 11:54:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2014/06/07 11:54:42 | 000,091,352 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/06/07 11:54:42 | 000,063,704 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
[2014/06/07 11:54:42 | 000,025,816 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2014/06/07 11:54:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware

========== Files - Modified Within 30 Days ==========

[2014/07/04 11:52:30 | 000,165,376 | ---- | M] () -- C:\Users\Carl\Desktop\SystemLook_x64.exe
[2014/07/04 11:48:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/07/04 11:44:01 | 000,000,508 | ---- | M] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task b28be43d-0e44-486f-8b61-f2e15d77c340.job
[2014/07/04 11:22:57 | 000,000,375 | ---- | M] () -- C:\Users\Carl\Desktop\requested-files[2014-07-04_11_22].cab
[2014/07/04 11:21:12 | 000,264,875 | ---- | M] () -- C:\Users\Carl\Desktop\sfp.zip
[2014/07/04 11:21:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job
[2014/07/04 08:59:35 | 000,022,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/07/04 08:59:35 | 000,022,464 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/07/04 08:52:56 | 000,786,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/07/04 08:52:56 | 000,665,554 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/07/04 08:52:56 | 000,123,330 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/07/04 08:44:49 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
[2014/07/04 08:44:18 | 000,458,752 | ---- | M] () -- C:\Windows\SysNative\Ikeext.etl
[2014/07/04 08:44:12 | 000,000,316 | ---- | M] () -- C:\Windows\tasks\Start Driver Reviver for [email protected](logon).job
[2014/07/04 08:43:39 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/07/04 08:43:19 | 3061,202,944 | -HS- | M] () -- C:\hiberfil.sys
[2014/07/02 23:02:00 | 000,000,512 | ---- | M] () -- C:\Users\Carl\Desktop\MBR.dat
[2014/07/02 21:52:40 | 005,185,536 | ---- | M] (AVAST Software) -- C:\Users\Carl\Desktop\aswmbr.exe
[2014/07/02 21:17:02 | 004,721,240 | ---- | M] () -- C:\Users\Carl\Desktop\RogueKiller.exe
[2014/07/02 20:31:27 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2014/07/02 20:00:00 | 000,000,508 | ---- | M] () -- C:\Windows\tasks\SUPERAntiSpyware Scheduled Task 89d96e21-0900-4f2a-9d96-c2751ce3503a.job
[2014/07/01 23:01:40 | 000,013,645 | ---- | M] () -- C:\Users\Carl\Desktop\Malware Remover adwcleaner - Shortcut.lnk
[2014/07/01 22:16:40 | 005,212,874 | R--- | M] (Swearware) -- C:\Users\Carl\Desktop\username123.exe
[2014/06/29 20:13:56 | 000,003,115 | ---- | M] () -- C:\Users\Carl\AppData\Roaming\SAS7_000.DAT
[2014/06/29 16:25:39 | 000,091,352 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/06/29 13:57:00 | 000,001,170 | ---- | M] () -- C:\Users\Public\Desktop\ParetoLogic Privacy Controls.lnk
[2014/06/27 18:29:00 | 001,330,121 | ---- | M] () -- C:\Users\Carl\Desktop\Korean War.pdf
[2014/06/25 22:25:42 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Carl\Desktop\OTL.exe
[2014/06/25 22:15:32 | 000,098,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/06/25 22:15:26 | 000,264,616 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/06/25 22:15:26 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/06/25 22:15:25 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/06/25 22:08:06 | 000,000,000 | ---- | M] () -- C:\asc_rdflag
[2014/06/22 20:43:30 | 000,000,132 | ---- | M] () -- C:\Users\Carl\Desktop\TalkToMeInKorean Curriculum Talk To Me In Korean.url
[2014/06/21 10:43:12 | 000,854,390 | ---- | M] () -- C:\Users\Carl\Desktop\SecurityCheck.exe
[2014/06/21 10:12:42 | 000,001,981 | ---- | M] () -- C:\Users\Carl\Documents\Adobe Reader XI.lnk
[2014/06/19 16:53:49 | 000,000,024 | ---- | M] () -- C:\Users\Carl\AppData\Roaming\temp.ini
[2014/06/16 21:24:42 | 000,000,190 | ---- | M] () -- C:\Users\Carl\Desktop\Verbix Languages Verbs-Korean Verb List.url
[2014/06/14 22:56:06 | 000,128,728 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/06/11 22:31:22 | 000,001,054 | ---- | M] () -- C:\Users\Carl\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Outlook.lnk
[2014/06/08 18:13:05 | 000,506,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/06/08 18:08:04 | 000,424,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/06/08 17:15:30 | 000,000,118 | ---- | M] () -- C:\Users\Carl\Desktop\Cats.url
[2014/06/08 15:36:46 | 000,000,824 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2014/06/07 11:54:48 | 000,001,068 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/06/07 09:33:00 | 000,042,911 | ---- | M] () -- C:\Users\Carl\Desktop\Don't make someone a priority when.....jpg

========== Files Created - No Company Name ==========

[2014/07/04 11:52:30 | 000,165,376 | ---- | C] () -- C:\Users\Carl\Desktop\SystemLook_x64.exe
[2014/07/04 11:22:57 | 000,000,375 | ---- | C] () -- C:\Users\Carl\Desktop\requested-files[2014-07-04_11_22].cab
[2014/07/04 11:21:12 | 000,264,875 | ---- | C] () -- C:\Users\Carl\Desktop\sfp.zip
[2014/07/02 23:02:00 | 000,000,512 | ---- | C] () -- C:\Users\Carl\Desktop\MBR.dat
[2014/07/02 21:17:02 | 004,721,240 | ---- | C] () -- C:\Users\Carl\Desktop\RogueKiller.exe
[2014/07/01 23:01:40 | 000,013,645 | ---- | C] () -- C:\Users\Carl\Desktop\Malware Remover adwcleaner - Shortcut.lnk
[2014/07/01 22:24:11 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014/07/01 22:24:11 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014/07/01 22:24:11 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014/07/01 22:24:11 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014/07/01 22:24:11 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014/06/29 13:57:00 | 000,001,170 | ---- | C] () -- C:\Users\Public\Desktop\ParetoLogic Privacy Controls.lnk
[2014/06/27 18:29:00 | 001,330,121 | ---- | C] () -- C:\Users\Carl\Desktop\Korean War.pdf
[2014/06/25 22:08:06 | 000,000,000 | ---- | C] () -- C:\asc_rdflag
[2014/06/25 17:16:09 | 000,000,898 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job
[2014/06/25 17:16:06 | 000,000,894 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
[2014/06/22 20:43:30 | 000,000,132 | ---- | C] () -- C:\Users\Carl\Desktop\TalkToMeInKorean Curriculum Talk To Me In Korean.url
[2014/06/21 10:43:11 | 000,854,390 | ---- | C] () -- C:\Users\Carl\Desktop\SecurityCheck.exe
[2014/06/21 10:18:17 | 000,001,981 | ---- | C] () -- C:\Users\Carl\Documents\Adobe Reader XI.lnk
[2014/06/21 10:12:41 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2014/06/19 16:53:49 | 000,000,024 | ---- | C] () -- C:\Users\Carl\AppData\Roaming\temp.ini
[2014/06/16 21:24:42 | 000,000,190 | ---- | C] () -- C:\Users\Carl\Desktop\Verbix Languages Verbs-Korean Verb List.url
[2014/06/08 17:15:30 | 000,000,118 | ---- | C] () -- C:\Users\Carl\Desktop\Cats.url
[2014/06/07 11:54:48 | 000,001,068 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/06/07 09:33:00 | 000,042,911 | ---- | C] () -- C:\Users\Carl\Desktop\Don't make someone a priority when.....jpg
[2013/12/24 20:54:09 | 000,004,096 | -H-- | C] () -- C:\Users\Carl\AppData\Local\keyfile3.drm
[2013/11/04 19:45:19 | 000,268,968 | ---- | C] () -- C:\Windows\SysWow64\sqlite3.dll
[2013/07/25 20:19:09 | 000,003,358 | -H-- | C] () -- C:\Users\Carl\AppData\Local\cgoicqai.ini
[2013/07/13 21:15:25 | 000,006,834 | ---- | C] () -- C:\Users\Carl\FPC_Print.bat
[2013/04/16 12:54:58 | 000,000,673 | ---- | C] () -- C:\Windows\hpwmdl19.dat.temp
[2012/11/18 11:45:25 | 000,000,191 | ---- | C] () -- C:\Windows\SysWow64\CKUFR.DAT
[2012/08/02 19:50:32 | 000,348,160 | ---- | C] () -- C:\Windows\SysWow64\LXDNinst.dll
[2012/08/02 19:50:31 | 000,364,544 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdninpa.dll
[2012/08/02 19:50:31 | 000,339,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdniesc.dll
[2012/08/02 19:50:31 | 000,335,872 | ---- | C] () -- C:\Windows\SysWow64\lxdncomx.dll
[2012/08/02 19:50:30 | 000,843,776 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnusb1.dll
[2012/08/02 19:50:30 | 000,647,168 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnpmui.dll
[2012/08/02 19:50:29 | 001,101,824 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnserv.dll
[2012/08/02 19:50:29 | 000,569,344 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnlmpm.dll
[2012/08/02 19:50:29 | 000,315,392 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnih.exe
[2012/08/02 19:50:29 | 000,053,248 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnprox.dll
[2012/08/02 19:50:28 | 000,851,968 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncomc.dll
[2012/08/02 19:50:28 | 000,663,552 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdnhbn3.dll
[2012/08/02 19:50:28 | 000,589,824 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncoms.exe
[2012/08/02 19:50:28 | 000,376,832 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncomm.dll
[2012/08/02 19:50:28 | 000,360,448 | ---- | C] ( ) -- C:\Windows\SysWow64\lxdncfg.exe
[2012/05/06 05:14:45 | 000,005,632 | ---- | C] () -- C:\Users\Carl\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/26 19:46:40 | 000,000,000 | ---- | C] () -- C:\Users\Carl\AppData\Local\{23DA9B32-6450-4418-B150-8BDE91B56D0B}
[2011/04/28 19:49:02 | 000,000,000 | ---- | C] () -- C:\Users\Carl\AppData\Local\{38E7C93E-FC7A-4959-9865-9A95BA0C8192}
[2011/03/23 11:40:27 | 000,943,104 | ---- | C] () -- C:\Program Files\amis.exe
[2011/03/19 22:12:43 | 000,003,115 | ---- | C] () -- C:\Users\Carl\AppData\Roaming\SAS7_000.DAT

========== ZeroAccess Check ==========

[2009/07/14 13:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/03/25 11:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/03/25 11:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012/12/24 23:13:14 | 000,857,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2012/12/24 23:13:14 | 000,636,928 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012/12/24 23:13:14 | 000,453,120 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Custom Scans ==========

< type C:\Windows\SysNative\tasks\{0267CD9A-2EE3-4FF8-AB57-1D1DE57B014F} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\Carl\Documents\Documents\Med Journal.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{133921E2-2021-4B45-8F53-90BD3987A7B9} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\55WMBKZJ\Install_CopyTrans_Suite[1].exe" -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{153E0C11-AB59-4403-A009-C84D5BC3296D} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\Carl\Documents\Dragon NaturallySpeaking 12\DNS 12Premium_E Install.exe" -d "C:\Users\Carl\Documents\Dragon NaturallySpeaking 12"</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>


----------



## referee07 (Sep 11, 2003)

< type C:\Windows\SysNative\tasks\{271A9AA8-2C75-4F2C-9052-5597FB25E7B5} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Program Files (x86)\Nuance\NaturallySpeaking10\Program\natspeak.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{378D9E73-23D0-42F8-A7D1-645D978E8C33} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a C:\ProgramData\{9EF991A4-ACEE-4CDF-B1E8-EE22A4302DF5}\BYKI4Installer.exe -c REMOVE=TRUE MODIFY=FALSE</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{38D3AC7C-20C2-4AE9-BED7-3A45570C6259} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Program Files (x86)\Nuance\NaturallySpeaking10\Program\natspeak.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DJMOX98\HijackThis.exe" -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{6ACD8BB2-F9CD-44D0-A4A7-B1E2F26AE0BF} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\Carl\Documents\Documents\HP Drivers Full Feature.exe" -d C:\Users\Carl\Documents\Documents</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{72E857CF-7393-4941-8587-00798EC27D64} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Program Files (x86)\Nuance\NaturallySpeaking10\Program\natspeak.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{7AD110DA-341A-4DBE-BDF3-9AEE42414B7B} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\Carl\Documents\Documents\Med Journal.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{80BC2314-73C6-4E2C-B4B4-4F6CBF187835} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\Carl\Documents\Documents\Med Journal.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{87807F17-6F61-4AC5-AE01-5BF05D7083C6} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a C:\Users\Carl\Desktop\Itunes_Dup_Remover.exe -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{918D5FBF-014E-4809-BA84-A238F18A392E} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\Carl\Documents\Documents\Med Journal.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{A910FFBD-B08A-4594-A1E5-399A702FCC3B} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Program Files (x86)\Nuance\NaturallySpeaking10\Program\natspeak.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5MSJCOH\IE8-Setup-Full[1].exe" -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{B3921F06-F64C-4E56-892D-7D6EF43CF2BB} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a C:\Users\Carl\Desktop\FTMWorkshop.exe -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a "C:\Users\Carl\Desktop\DNS 12 Premimum - Install.exe" -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{D89F63B8-51E8-4C59-9229-317F503BA789} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\Carl\Documents\Documents\Med Journal.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a C:\Users\Carl\Desktop\SoftickPPP303-en.exe -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD} /c >
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo />
<Triggers>
<RegistrationTrigger>
<Enabled>true</Enabled>
</RegistrationTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\system32\pcalua.exe</Command>
<Arguments>-a C:\Users\Carl\Downloads\Byki4_Korean_BykiPod2.exe -d C:\Users\Carl\Desktop</Arguments>
</Exec>
</Actions>
<Principals>
<Principal id="Author">
<UserId>DellNotebook\Carl</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

< type C:\Windows\SysNative\tasks\{FC711627-AC4C-4C2E-B888 >

========== Files - Unicode (All) ==========
[2013/02/02 20:39:38 | 000,000,145 | ---- | M] ()(C:\Users\Carl\Desktop\??, sk??? ?? ???? ??? ??? ? ? ????? - ?????, ?????, LPG, SUV, RV, ??, ???????, ???, ????????.url) -- C:\Users\Carl\Desktop\엔카, sk엔카에 찾는 중고차가 없으면 중고카 엔 카 중고자동차 - 중고차매매, 중고차시세, LPG, SUV, RV, 경차, 수입중고차시세, 시승기, 중고차시세표가격.url
[2013/02/02 20:39:38 | 000,000,145 | ---- | C] ()(C:\Users\Carl\Desktop\??, sk??? ?? ???? ??? ??? ? ? ????? - ?????, ?????, LPG, SUV, RV, ??, ???????, ???, ????????.url) -- C:\Users\Carl\Desktop\엔카, sk엔카에 찾는 중고차가 없으면 중고카 엔 카 중고자동차 - 중고차매매, 중고차시세, LPG, SUV, RV, 경차, 수입중고차시세, 시승기, 중고차시세표가격.url

========== Alternate Data Streams ==========

@Alternate Data Stream - 665 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 234 bytes -> C:\ProgramData\Temp:0FF263E8
@Alternate Data Stream - 167 bytes -> C:\ProgramData\Temp:F35A93AD

< End of report >


----------



## eddie5659 (Mar 19, 2001)

Thanks for the logs 



> The ComboFix icon appeared in the System Tray and wouldn't close by left-clicking on the icon and choosing "close."


That is normal, as ComboFix doesn't allow any easy ways to close the program, as some malware targets Combofix, as well as other tools.



> I thought I only had the ESET NOD32 running. I thought that COMODO was only the firewall.


Looking at your installed programs, its only showing the one antivirus. Looks like it may have seen Comodo, and for whatever reason, thought it was antivirus and firewall. Its fine leaving ESET on 

====================

Thank you for all the above, can you do this with SystemLook. Run as before, but use this code, as I think you may have missed the .dll part of the last file by mistake 


```
:file
C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
:regfind
pafkmehmkdelemggbhfhgjapmlnhikgh
oaljfaiaepegjnjbecnjoalgpbejho
oaldbhnlbajenibdaggbjkedjdfoll
pajgppcmeiofjeglegmkcdcpdeeadlnn
:findfile
*ALGER.tt2
*BAUHS93.tt2
*HARLOWSI.tt2
*LEELAWAD.tt2
*LEELAWDB.tt2
*MSJH.tt2
*MSJHBD.tt2
*MSUIGHUR.tt2
*MSYH.tt2
*MSYHBD.tt2
*VIVALDII.tt2
```
And post the log as before 

===================

Once we're certain with the above that there are no more entries, we'll run a fix via ComboFix. Then, we'll look for remains etc. Also, can you try *TDSSKiller* again, but disable your antivirus and firewall first.


Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*

===================

Also, you have some strange entries in the logs that are used in the right-click option, but any info on these would be great.

So, can you do this for me. Download *Shexview* to your Desktop.

Extract the files, and then doubleclick on the *shexview* to start it.

Now, you will see something like this:










Open the window full, click on the *Find* icon, at the top under *Options*










In the box that appears, copy/paste the following and click *Find Next* and it will highlight the line with the values in:

*367E135E-2B2E-A077-3E92-18F772EF5DAA*

Mine is small, as the picture will be massive on the forums 










Now, once its highlighted, click on *File* and then *Save Selected Items* and save it as any name to the same folder as the extracted files, say test1.

Do the same, using Find etc, for this as well:

*74E827C3-21E1-1EAA-EA3C-BF875B2231DD*

Then, copy/paste the contents of both logs here, and close Shexview by pressing the X as normal.

Thanks

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks again for the reply. I plan to complete the tasks that you requested tomorrow (Friday) evening. Thanks again for the help.


----------



## eddie5659 (Mar 19, 2001)

No worries, Friday just so you know I tend not to be around, and I'm at work most of Saturday, as its overload with the amount I have 

So, I will look as soon as I get home


----------



## referee07 (Sep 11, 2003)

eddie5659, first of all, thanks for the reply and secondly, I hope that you had a good weekend. Please see below for the log of a new SystemLook scan using the above code: 

SystemLook 30.07.11 by jpshortstuff
Log created at 22:55 on 13/07/2014 by Carl
Administrator - Elevation successful

========== file ==========

C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll - File found and opened.
MD5: 6B62FB418DA39A833B0F92E66C51880D
Created at 12:17 on 15/11/2013
Modified at 12:17 on 15/11/2013
Size: 842408 bytes
Attributes: --a----
FileDescription: PrivDog Extension
FileVersion: 1.8.0.15
ProductVersion: 1.8.0.15
OriginalFilename: trustedads.dll
InternalName: trustedads.dll
ProductName: PrivDog Browser Extension
CompanyName: AdTrustMedia
LegalCopyright: Copyright © AdTrustMedia 2012-2013. All rights reserved.

========== regfind ==========

Searching for "pafkmehmkdelemggbhfhgjapmlnhikgh"
No data found.

Searching for "oaljfaiaepegjnjbecnjoalgpbejho"
No data found.

Searching for "oaldbhnlbajenibdaggbjkedjdfoll"
No data found.

Searching for "pajgppcmeiofjeglegmkcdcpdeeadlnn"
No data found.

Invalid Context: findfile

No Context: *ALGER.tt2

No Context: *BAUHS93.tt2

No Context: *HARLOWSI.tt2

No Context: *LEELAWAD.tt2

No Context: *LEELAWDB.tt2

No Context: *MSJH.tt2

No Context: *MSJHBD.tt2

No Context: *MSUIGHUR.tt2

No Context: *MSYH.tt2

No Context: *MSYHBD.tt2

No Context: *VIVALDII.tt2

-= EOF =-
_______________________________________________________________________________________________

The TDSS Killer scan found no threats.


_______________________________________________________________________________________________


----------



## referee07 (Sep 11, 2003)

eddie5659, below are the logs from the ShellExView in the order shown above. Thanks again for the help.

Extension Name : 
Disabled : No
Type : Thumbnail
Description : Package Document Shell Extension Handler
Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
My Computer : No
Desktop : No
Control Panel : No
My Network Places : No
Entire Network : No
Remote Computer : No
Filename : C:\Windows\system32\XPSSHHDR.DLL
CLSID : {44121072-A222-48f2-A58A-6D9AD51EBBE9}
File Created Time : 7/14/2009 9:38:01 AM
CLSID Modified Time: 7/14/2009 1:53:38 PM
Microsoft : Yes
File Extensions : .dwfx, .easmx, .edrwx, .eprtx, .jtx, .xps
File Attributes : A
File Size : 706,560
.NET Extension : No
Digital Signature : 
==================================================

Extension Name : 
Disabled : No
Type : Thumbnail
Description : Package Document Shell Extension Handler
Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
My Computer : No
Desktop : No
Control Panel : No
My Network Places : No
Entire Network : No
Remote Computer : No
Filename : C:\Windows\system32\XPSSHHDR.DLL
CLSID : {44121072-A222-48f2-A58A-6D9AD51EBBE9}
File Created Time : 7/14/2009 9:38:01 AM
CLSID Modified Time: 7/14/2009 1:53:38 PM
Microsoft : Yes
File Extensions : .dwfx, .easmx, .edrwx, .eprtx, .jtx, .xps
File Attributes : A
File Size : 706,560
.NET Extension : No
Digital Signature : 
==================================================


----------



## eddie5659 (Mar 19, 2001)

Thanks for the logs, I'm just having a detailed look at the two logs you posted from ShellExView.

In the meantime, can you run this fix:

---------------------------

1. Close any open browsers.

2. Close/disable all antivirus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open *notepad* and copy/paste the text in the quotebox below into it:



> Driver::
> LiveUpdate
> LiveUpdateSvc
> Folder::
> ...


Save this as *CFScript.txt*, in the same location as ComboFix.exe

*NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system*










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *C:\ComboFix.txt* which I will require in your next reply.

=========================

Then, when you've done that, can you re-run SystemLook but with the following code, to see whats left 


```
:filefind
*IObit*.*
*Advanced SystemCare*.*
*Malware Fighter*.*
*Surfing Protection*.*
*ParetoLogic*.*
*gkcefkcdkepgkpbgncjchhbjgoanleod*.*
*Registry Reviver*.*
:folderfind
*IObit*
*Advanced SystemCare*
*Malware Fighter*
*Surfing Protection*
*ParetoLogic*
*gkcefkcdkepgkpbgncjchhbjgoanleod*
*Registry Reviver*
:regfind
IObit
Advanced SystemCare
Malware Fighter
Surfing Protection
ParetoLogic
gkcefkcdkepgkpbgncjchhbjgoanleod
Registry Reviver
```
eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, thanks for the reply. I will get you the logs for ComboFix and SystemLook tomorrow evening.


----------



## eddie5659 (Mar 19, 2001)

Oki doki 

Also, can you use ShellExView again, but this time search for

*XPSSHHDR.DLL*

And save, and copy/paste the logs like you did before. There may be a few but curious what is there.

Thanks again

eddie


----------



## referee07 (Sep 11, 2003)

eddie, I tried your first suggestion above, i.e., dragging and dropping the text into ComboFix, and all seemed to be going well, but the process was taking more than one hour. I left my computer running the process and periodically came back to check on the progress and the last time I checked after moving the mouse and reviving the desktop from the screensaver, I found that all of the icons had disappeared from the desktop. I let this go on for several minutes and than restarted the computer. All appeared well when I did restart the computer, but it's too late tonight to try running ComboFix again; I'll try again tomorrow. I just wanted to let you know what happened. I'll try again tomorrow evening and let you know how it goes. Finally, thanks for your continuing help with this.


----------



## eddie5659 (Mar 19, 2001)

Hi, I've got some details about the other keys I was curious about, so leave the ComboFix for now, as I need to update the fix. Also, I'll just have a look, and see what may have caused the slowness.

Plus, don't worry about the ShellExView bit, can you just run the SystemLook scan instead.

Will reply in a few mins, maybe 30 or so mins with teh ComboFix new fix


----------



## eddie5659 (Mar 19, 2001)

Okay, for the Combofix, delete the CFScript.txt you have, and create a new one with the following. Also, make sure any firewall/antivirus are disabled:


*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. 
Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re-enable the protection again afterwards before connecting to the Internet.*


```
Folder::
C:\users\Carl\AppData\Roaming\IObit
C:\program files\ReviverSoft
C:\program files (x86)\IObit
File::
C:\Windows\SysNative\tasks\{133921E2-2021-4B45-8F53-90BD3987A7B9}
C:\Windows\SysNative\tasks\{153E0C11-AB59-4403-A009-C84D5BC3296D}
C:\Windows\SysNative\tasks\{271A9AA8-2C75-4F2C-9052-5597FB25E7B5}
C:\Windows\SysNative\tasks\{378D9E73-23D0-42F8-A7D1-645D978E8C33}
C:\Windows\SysNative\tasks\{38D3AC7C-20C2-4AE9-BED7-3A45570C6259}
C:\Windows\SysNative\tasks\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8}
C:\Windows\SysNative\tasks\{72E857CF-7393-4941-8587-00798EC27D64}
C:\Windows\SysNative\tasks\{87807F17-6F61-4AC5-AE01-5BF05D7083C6}
C:\Windows\SysNative\tasks\{A910FFBD-B08A-4594-A1E5-399A702FCC3B}
C:\Windows\SysNative\tasks\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9}
C:\Windows\SysNative\tasks\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609}
C:\Windows\SysNative\tasks\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1}
C:\Windows\SysNative\tasks\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD}
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
RegNull::
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA}*]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD}*]
```
And drag/drop as you did before. May take a while, but shouldn't take an hour.

eddie


----------



## referee07 (Sep 11, 2003)

eddie, thanks again. I started the ComboFix shown below but then thought that I not have done something correctly and stopped the process. (At that time it was about 40 minutes into the process and it was down to #48. I will try again tomorrow (Friday) night and will have plenty of time to let it run. Thanks again for the help.


----------



## referee07 (Sep 11, 2003)

eddie, please see below for the ComboFix log that was created this evening. And, once again, thanks for the help.

ComboFix 14-07-17.03 - Carl 07/18/2014 19:52:00.7.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3893.1103 [GMT 9:00]
Running from: c:\users\Carl\Desktop\username123.exe
Command switches used :: c:\users\Carl\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
FW: COMODO Firewall *Enabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
SP: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\tasks\{133921E2-2021-4B45-8F53-90BD3987A7B9}"
"c:\windows\system32\tasks\{153E0C11-AB59-4403-A009-C84D5BC3296D}"
"c:\windows\system32\tasks\{271A9AA8-2C75-4F2C-9052-5597FB25E7B5}"
"c:\windows\system32\tasks\{378D9E73-23D0-42F8-A7D1-645D978E8C33}"
"c:\windows\system32\tasks\{38D3AC7C-20C2-4AE9-BED7-3A45570C6259}"
"c:\windows\system32\tasks\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8}"
"c:\windows\system32\tasks\{72E857CF-7393-4941-8587-00798EC27D64}"
"c:\windows\system32\tasks\{87807F17-6F61-4AC5-AE01-5BF05D7083C6}"
"c:\windows\system32\tasks\{A910FFBD-B08A-4594-A1E5-399A702FCC3B}"
"c:\windows\system32\tasks\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9}"
"c:\windows\system32\tasks\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609}"
"c:\windows\system32\tasks\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1}"
"c:\windows\system32\tasks\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD}"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\IObit
c:\program files (x86)\IObit\Advanced SystemCare 4\checkinfo.txt
c:\program files (x86)\IObit\Advanced SystemCare 4\LatestNews\imagenews.png
c:\program files (x86)\IObit\Advanced SystemCare 4\LatestNews\LatestNews.ini
c:\program files (x86)\IObit\Advanced SystemCare 4\License.dat
c:\program files (x86)\IObit\Advanced SystemCare 4\Update\Update.Ini
c:\program files (x86)\IObit\Advanced SystemCare 4\UpdateHistory.txt
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCInit.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCPatch.exe
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-10.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-11.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-12.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-13.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-14.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-15.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-16.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-17.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-18.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-19.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-20.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-21.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-22.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-23.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ASCServiceLog\2012-10-24.log
c:\program files (x86)\IObit\Advanced SystemCare 5\BackupList.txt
c:\program files (x86)\IObit\Advanced SystemCare 5\BootTimeLog\Defrag2012-02-13(19-58-44).log
c:\program files (x86)\IObit\Advanced SystemCare 5\BootTimeLog\Defrag2012-06-03(12-45-32).log
c:\program files (x86)\IObit\Advanced SystemCare 5\BootTimeLog\Defrag2012-09-04(19-31-14).log
c:\program files (x86)\IObit\Advanced SystemCare 5\BootTimeLog\Defrag2012-10-15(08-54-08).log
c:\program files (x86)\IObit\Advanced SystemCare 5\checkinfo.txt
c:\program files (x86)\IObit\Advanced SystemCare 5\LatestNews\imagenews.jpg
c:\program files (x86)\IObit\Advanced SystemCare 5\LatestNews\imagenews.png
c:\program files (x86)\IObit\Advanced SystemCare 5\LatestNews\LatestNews.ini
c:\program files (x86)\IObit\Advanced SystemCare 5\License.dat
c:\program files (x86)\IObit\Advanced SystemCare 5\Register.log
c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHole_Backup\KB2585542.cab
c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHole_Backup\KB2600217.exe
c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHole_Backup\KB2727727.exe
c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHole_Backup\KB915597.exe
c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHole_Backup\KB976002.cab
c:\program files (x86)\IObit\Advanced SystemCare 5\SecurityHoleScan.log
c:\program files (x86)\IObit\Advanced SystemCare 5\sh.dat
c:\program files (x86)\IObit\Advanced SystemCare 5\TempResult.txt
c:\program files (x86)\IObit\Advanced SystemCare 5\test.log
c:\program files (x86)\IObit\Advanced SystemCare 5\Update.dat
c:\program files (x86)\IObit\Advanced SystemCare 5\Update\Update.Ini
c:\program files (x86)\IObit\Advanced SystemCare 5\UpdateHistory.txt
c:\program files (x86)\IObit\Advanced SystemCare 5\UpdateLicense.log
c:\program files (x86)\IObit\Advanced SystemCare 5\UPdateTest.log
c:\program files (x86)\IObit\Advanced SystemCare 5\UpgradeTip.log
c:\program files (x86)\IObit\Advanced SystemCare 5\ZLB8940.tmp
c:\program files (x86)\IObit\Advanced SystemCare 6\amc-remind.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\amc-reminder.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.tmp
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCInit.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCPatch.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCService_Log.txt
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-10-27.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-10-28.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-10-29.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-10-30.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-10-31.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-01.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-02.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-03.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-04.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-05.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-06.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-07.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-08.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-09.log
c:\program files (x86)\IObit\Advanced SystemCare 6\ASCServiceLog\2013-11-10.log
c:\program files (x86)\IObit\Advanced SystemCare 6\AutoCare_Shortcuts.log
c:\program files (x86)\IObit\Advanced SystemCare 6\AutoSweeper.log
c:\program files (x86)\IObit\Advanced SystemCare 6\Autoupdate.log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2012-12-25(08-35-33).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2013-03-12(07-03-35).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2013-05-21(06-53-35).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2013-06-16(10-10-01).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2013-07-12(20-13-08).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2013-08-25(11-35-09).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BootTimeLog\Defrag2013-10-13(08-49-23).log
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\ASCPlugin_Protection.dll
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\ASCUrlScanner.dll
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\asc.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\icon_gray.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\ie_risk.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\ie_safe.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\ie_tip_details.gif
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\ie_wraningBg.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\popbox_btn_close.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\popbox_btn_ok.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\risk.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\risk_logo.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\safe.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\safe_logo.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\tip_details.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\window_risk.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\window_safe.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\images\wraningBg.png
c:\program files (x86)\IObit\Advanced SystemCare 6\BrowerProtect\np_Asc_plugin.dll
c:\program files (x86)\IObit\Advanced SystemCare 6\checkinfo.txt
c:\program files (x86)\IObit\Advanced SystemCare 6\christmas.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\Downloader.log
c:\program files (x86)\IObit\Advanced SystemCare 6\Extensions.plist
c:\program files (x86)\IObit\Advanced SystemCare 6\Freeware\Inno_English.lng
c:\program files (x86)\IObit\Advanced SystemCare 6\LatestNews\imagenews.png
c:\program files (x86)\IObit\Advanced SystemCare 6\LatestNews\LatestNews.ini
c:\program files (x86)\IObit\Advanced SystemCare 6\MalwareScan.log
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2506143.cab
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2574819.cab
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2592687.cab
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2836939.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2836942.cab
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2836943.cab
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB2859903.cab
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHole_Backup\KB915597.exe
c:\program files (x86)\IObit\Advanced SystemCare 6\SecurityHoleScan.log
c:\program files (x86)\IObit\Advanced SystemCare 6\sh.dat
c:\program files (x86)\IObit\Advanced SystemCare 6\Shortcut_log.txt
c:\program files (x86)\IObit\Advanced SystemCare 6\Shortcuts.log
c:\program files (x86)\IObit\Advanced SystemCare 6\UninstallPromote.log
c:\program files (x86)\IObit\Advanced SystemCare 6\UpdateLicense.log
c:\program files (x86)\IObit\IObit Malware Fighter\adsemovalsetup02251.exe
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\background.html
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\db\db_block_whitelist.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\db\db_redirect.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\dll\NPAdbExternal.dll
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\filtering\domainset.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\filtering\filternormalizer.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\filtering\filteroptions.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\filtering\filterset.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\filtering\filtertypes.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\img\icon128.png
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\adblock_start_chrome.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\adblock_start_common.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\background.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\functions.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\google_adsbygoogle.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\google_gpt.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\google_show_ads.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\popup.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\js\port.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\manifest.json
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\fopdddcinljmpmioaklghcalngfhbaen\1.0.0_0\popup.html
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\background.html
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\db\db_block_whitelist.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\db\db_redirect.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\dll\NPAdbExternal.dll
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\filtering\domainset.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\filtering\filternormalizer.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\filtering\filteroptions.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\filtering\filterset.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\filtering\filtertypes.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\img\icon128.png
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\adblock_start_chrome.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\adblock_start_common.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\background.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\functions.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\google_adsbygoogle.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\google_gpt.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\google_show_ads.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\popup.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\js\port.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\manifest.json
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod\1.0.0_0\popup.html
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\bin\.dummy
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\bin\NPAdbExternal.dll
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\bootstrap.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome.manifest
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome\content\images\btn-icon-active.png
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome\content\images\btn-icon-disabled.png
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome\content\scripts\google_adsbygoogle.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome\content\scripts\google_gpt.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome\content\scripts\google_show_ads.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\chrome\content\subscriptions\.dummy
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\defaults\patterns.ini
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\defaults\prefs.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\icon.png
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\icon64.png
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\install.rdf
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\contentPolicy.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\dll.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\downloader.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\easylist.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\elemHide.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\elemHideHitRegistration.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\filterClasses.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\filterListener.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\filterNotifier.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\filterStorage.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\insert.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\io.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\main.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\matcher.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\adsremova[email protected]\lib\objectTabs.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\prefs.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\replace.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\requestNotifier.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\subscriptionClasses.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\synchronizer.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\ui.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\Firefox\[email protected]\lib\utils.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdBExtFc.dll
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.log
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_ar.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_bg.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_cs.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_de.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_fi.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_fr.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_id.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_it.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_lv.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_nl.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_ro.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_ru.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\adb_zh.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\easylist.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\exceptionrules.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\db\WhiteList.txt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\img\close.bmp
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\js\google_adsbygoogle.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\js\google_gpt.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\js\google_show_ads.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\js\ijElement.js
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\LiveUpdateSrvUpt.log
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Main.ini
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\sqlite3.dll
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\system.ini
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\update\update.spt
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\unins000.dat
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\unins000.exe
c:\program files (x86)\IObit\IObit Malware Fighter\adsremoval\unins000.msg
c:\program files (x86)\IObit\IObit Malware Fighter\ADSRemovalSetup.exe
c:\program files (x86)\IObit\IObit Malware Fighter\db\coreext.def
c:\program files (x86)\IObit\IObit Malware Fighter\DetectionEx.ini
c:\program files (x86)\IObit\IObit Malware Fighter\History.txt
c:\program files (x86)\IObit\IObit Malware Fighter\IMF_ActionCenterDownloader.exe
c:\program files (x86)\IObit\IObit Malware Fighter\libcurl-4.dll
c:\program files (x86)\IObit\IObit Malware Fighter\license.dat
c:\program files (x86)\IObit\IObit Malware Fighter\log\realtime\realtime_2014-03-06-19-33 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\realtime\realtime_2014-03-06-20-13 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\realtime\realtime_2014-03-06-20-16 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\realtime\realtime_2014-03-06-20-51 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\realtime\realtime_2014-03-06-21-34 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\scan\scan_2014-03-01-21-37 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\scan\scan_2014-03-02-21-51 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\scan\scan_2014-03-03-22-06 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\scan\scan_2014-03-04-22-23 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\log\scan\scan_2014-03-06-20-36 .txt
c:\program files (x86)\IObit\IObit Malware Fighter\Promote.exe
c:\program files (x86)\IObit\IObit Malware Fighter\Quarantine Zone\info.db
c:\program files (x86)\IObit\IObit Malware Fighter\Quarantine Zone\qhcebikm
c:\program files (x86)\IObit\IObit Malware Fighter\Update\imfpatch.exe
c:\program files (x86)\IObit\IObit Uninstaller\IObitDownloader.exe
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Arabic.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Belarusian.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\ChineseSimp.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\ChineseTrad.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Czech.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Dutch.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\English.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Finnish.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\German.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Hungarian.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Japanese.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Polish.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Portuguese(PT-BR).lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Romanian.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Russian.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Serbian (cyrillic).lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Serbian (latin).lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Slovenian.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Spanish.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Swedish.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Turkish.lng
c:\program files (x86)\IObit\IObit Uninstaller\Lan_LiveUpt\Vietnamese.lng
c:\program files (x86)\IObit\IObit Uninstaller\LiveUpdate.exe
c:\program files (x86)\IObit\IObit Uninstaller\LiveUpdate.log
c:\program files (x86)\IObit\IObit Uninstaller\taskmgr.dll
c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64_1.dll
c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64_2.dll
c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64_3.dll
c:\program files (x86)\IObit\IObit Uninstaller\UninstallExplorer64_4.dll
c:\program files (x86)\IObit\IObit Uninstaller\UninstallPromote_1.exe
c:\program files (x86)\IObit\IObit Uninstaller\UninstallPromote_2.exe
c:\program files (x86)\IObit\LiveUpdate\Language\Arabic.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Belarusian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\ChineseSimp.lng
c:\program files (x86)\IObit\LiveUpdate\Language\ChineseTrad.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Czech.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Danish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Dinka.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Dutch.lng
c:\program files (x86)\IObit\LiveUpdate\Language\English.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Finnish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Flemish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\French.lng
c:\program files (x86)\IObit\LiveUpdate\Language\German.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Greek.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Hebrew.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Hungarian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Indonesia.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Italian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Japanese.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Korean.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Latvian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Malayalam.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Polish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Portuguese(PT-BR).lng
c:\program files (x86)\IObit\LiveUpdate\Language\Portuguese(PT-PT).lng
c:\program files (x86)\IObit\LiveUpdate\Language\Romanian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Russian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Serbian (cyrillic).lng
c:\program files (x86)\IObit\LiveUpdate\Language\Serbian (latin).lng
c:\program files (x86)\IObit\LiveUpdate\Language\Slovak.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Slovenian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Spanish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Swedish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Turkish.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Ukrainian.lng
c:\program files (x86)\IObit\LiveUpdate\Language\Vietnamese.lng
c:\program files (x86)\IObit\LiveUpdate\LiveUpdate.log
c:\program files (x86)\IObit\LiveUpdate\LiveUpdate_1.log
c:\program files (x86)\IObit\LiveUpdate\LiveUpdateSrvUpt.log
c:\program files (x86)\IObit\LiveUpdate\ProductStatistics.dll
c:\program files (x86)\IObit\LiveUpdate\ProductStatistics.log
c:\program files (x86)\IObit\LiveUpdate\ProductUpt.log
c:\program files (x86)\IObit\LiveUpdate\system.ini
c:\program files (x86)\IObit\LiveUpdate\update\update.spt
c:\program files (x86)\IObit\Smart Defrag 3\LatestNews\LatestNews.ini
c:\program files (x86)\IObit\Smart Defrag 3\Log\SDBootTime_2014-02-17-07-42-37.log
c:\program files (x86)\IObit\Smart Defrag 3\Log\SDBootTime_2014-02-24-19-26-45.log
c:\program files (x86)\IObit\Smart Defrag 3\Log\SDBootTime_2014-03-01-08-18-07.log
c:\program files (x86)\IObit\Smart Defrag 3\Log\SDBootTime_2014-03-08-08-16-49.log
c:\program files (x86)\IObit\Smart Defrag 3\Log\SDBootTime_2014-03-15-07-19-09.log
c:\program files (x86)\IObit\Smart Defrag 3\Update\LastCheck.Ini
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\ASC_GhromePlugin.crx
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\ASCBrowserProtection.safariextz
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome.manifest
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\ascsurfingprotection.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\ascsurfingprotection.xul
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\ascsurfing[email protected]\chrome\content\imagemgr.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\languagemgr.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\popbox.css
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\protectpage.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\searchresultmgr.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content\urlbaricon.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\icon.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\install.rdf
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\ASCUrlScanner.dll
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\manifest.json
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\ASCPlugin_Protect.dll
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\background.html
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\background.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Ex.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\asc.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\popbox_btn_close.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\popbox_btn_ok.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\risk.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\risk_logo.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\safe.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\safe_logo.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\tip_details.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\window_risk.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\window_safe.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img\wraningBg.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\popup.html
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\popup.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\tips.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\warning.bak
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\warning.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\BrowserProtect.oex
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\errorpage.html
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\asc.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\icon_gray.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\ie_risk.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\ie_safe.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\ie_tip_details.gif
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\ie_wraningBg.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\popbox_btn_close.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\popbox_btn_ok.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\risk.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\risk_logo.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\safe.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\safe_logo.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\tip_details.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\window_risk.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\window_safe.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\images\wraningBg.png
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\np_Asc_plugin.dll
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\NPASCSafariPluginProtect.dll
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\Safari_baidu_script.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\script.js
c:\program files (x86)\IObit\Surfing Protection\BrowerProtect\SPAD_script.js
c:\program files (x86)\IObit\Surfing Protection\Database\ASCSpecialUrl.db
c:\program files (x86)\IObit\Surfing Protection\Database\base_safe_browse_0429
c:\program files (x86)\IObit\Surfing Protection\Database\base_safe_browse_0603
c:\program files (x86)\IObit\Surfing Protection\Database\base_upt_add
c:\program files (x86)\IObit\Surfing Protection\Database\spupdate.utp
c:\program files (x86)\IObit\Surfing Protection\DownErrorConfig.txt
c:\program files (x86)\IObit\Surfing Protection\Extensions.plist
c:\program files (x86)\IObit\Surfing Protection\Language\Arabic.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Belarusian.lng
c:\program files (x86)\IObit\Surfing Protection\Language\ChineseSimp.lng
c:\program files (x86)\IObit\Surfing Protection\Language\ChineseTrad.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Czech.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Dutch.lng
c:\program files (x86)\IObit\Surfing Protection\Language\English.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Finnish.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Hungarian.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Japanese.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Korean.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Polish.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Portuguese(PT-BR).lng
c:\program files (x86)\IObit\Surfing Protection\Language\Romanian.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Russian.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Serbian (cyrillic).lng
c:\program files (x86)\IObit\Surfing Protection\Language\Serbian (latin).lng
c:\program files (x86)\IObit\Surfing Protection\Language\Slovenian.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Spanish.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Swedish.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Turkish.lng
c:\program files (x86)\IObit\Surfing Protection\Language\Vietnamese.lng
c:\program files (x86)\IObit\Surfing Protection\PluginInstall.exe
c:\program files (x86)\IObit\Surfing Protection\SPInit.log
c:\program files (x86)\IObit\Surfing Protection\SPUpdate.exe
c:\program files (x86)\IObit\Surfing Protection\sqlite3.dll
c:\program files (x86)\IObit\Surfing Protection\unins000.dat
c:\program files (x86)\IObit\Surfing Protection\unins000.exe
c:\program files (x86)\IObit\Surfing Protection\unins000.msg
c:\program files (x86)\IObit\Surfing Protection\Update\Update.ini
c:\windows\system32\tasks\{133921E2-2021-4B45-8F53-90BD3987A7B9}
c:\windows\system32\tasks\{153E0C11-AB59-4403-A009-C84D5BC3296D}
c:\windows\system32\tasks\{271A9AA8-2C75-4F2C-9052-5597FB25E7B5}
c:\windows\system32\tasks\{378D9E73-23D0-42F8-A7D1-645D978E8C33}
c:\windows\system32\tasks\{38D3AC7C-20C2-4AE9-BED7-3A45570C6259}
c:\windows\system32\tasks\{5FACD68B-EA69-4640-8738-1A78B7CC7AC8}
c:\windows\system32\tasks\{72E857CF-7393-4941-8587-00798EC27D64}
c:\windows\system32\tasks\{87807F17-6F61-4AC5-AE01-5BF05D7083C6}
c:\windows\system32\tasks\{A910FFBD-B08A-4594-A1E5-399A702FCC3B}
c:\windows\system32\tasks\{AA77E7F2-D5AC-4C47-8944-1E10CF3A90B9}
c:\windows\system32\tasks\{CDBAFAB3-A304-4EC9-B0A8-9F7CC1FD2609}
c:\windows\system32\tasks\{F64F870B-9E94-4E08-ABE1-BACE1DFA94F1}
c:\windows\system32\tasks\{FB9D8D71-DD85-47B6-A663-FF1E4CA05DAD}
.
.
((((((((((((((((((((((((( Files Created from 2014-06-18 to 2014-07-18 )))))))))))))))))))))))))))))))
.
.
2014-07-18 12:01 . 2014-07-18 12:01	--------	d-----w-	c:\users\Default\AppData\Local\temp
2014-07-15 14:38 . 2014-07-02 03:09	10924376	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{C28D6AB2-1653-4EAC-BD88-74F48F59DD08}\mpengine.dll
2014-07-09 11:32 . 2014-06-19 00:53	48640	----a-w-	c:\program files\Internet Explorer\DiagnosticsHub_is.dll
2014-07-09 11:23 . 2014-06-05 14:45	1460736	----a-w-	c:\windows\system32\lsasrv.dll
2014-07-09 11:23 . 2014-06-05 14:26	22016	----a-w-	c:\windows\SysWow64\secur32.dll
2014-07-09 11:23 . 2014-06-05 14:25	96768	----a-w-	c:\windows\SysWow64\sspicli.dll
2014-07-06 07:52 . 2014-07-06 07:52	--------	d-----w-	c:\users\Carl\AppData\Roaming\ParetoLogic
2014-07-06 07:52 . 2014-07-06 07:52	--------	d-----w-	c:\program files (x86)\Common Files\ParetoLogic
2014-07-06 07:52 . 2014-07-06 07:52	--------	d-----w-	c:\programdata\ParetoLogic
2014-07-06 07:52 . 2014-07-06 07:52	--------	d-----w-	c:\program files (x86)\ParetoLogic
2014-07-02 12:49 . 2014-07-13 09:37	--------	d-----w-	c:\users\Carl\AppData\Local\CrashDumps
2014-07-02 12:17 . 2014-07-02 12:18	--------	d-----w-	c:\programdata\RogueKiller
2014-07-02 10:08 . 2014-07-02 11:44	--------	d-----w-	C:\username123
2014-06-27 12:24 . 2014-07-01 12:58	--------	d-----w-	C:\AdwCleaner
2014-06-27 12:06 . 2014-06-27 12:06	--------	d-----w-	C:\_OTL
2014-06-25 13:16 . 2014-06-25 13:16	--------	d-----w-	c:\program files (x86)\Common Files\Java
2014-06-25 13:16 . 2014-06-25 13:15	98216	----a-w-	c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-06-21 01:16 . 2014-06-21 01:16	--------	d-----w-	c:\users\Carl\AppData\Local\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-09 13:50 . 2011-03-19 11:28	96441528	----a-w-	c:\windows\system32\MRT.exe
2014-07-09 13:48 . 2013-05-11 13:29	699056	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2014-07-09 13:48 . 2013-05-11 13:29	71344	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-06-29 07:25 . 2014-06-07 02:54	91352	----a-w-	c:\windows\system32\drivers\mbamchameleon.sys
2014-06-14 13:56 . 2014-05-04 00:31	128728	----a-w-	c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-06-03 08:41 . 2014-05-24 02:42	589008	----a-w-	c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-05-29 11:03 . 2014-04-27 04:36	48392	----a-w-	c:\windows\SysWow64\certsentry.dll
2014-05-29 11:03 . 2014-02-01 14:03	57096	----a-w-	c:\windows\system32\certsentry.dll
2014-05-16 02:07 . 2014-05-16 02:07	829264	----a-w-	c:\windows\system32\msvcr100.dll
2014-05-16 02:07 . 2014-05-16 02:07	608080	----a-w-	c:\windows\system32\msvcp100.dll
2014-05-16 00:39 . 2014-05-16 00:39	773968	----a-w-	c:\windows\SysWow64\msvcr100.dll
2014-05-16 00:39 . 2014-05-16 00:39	421200	----a-w-	c:\windows\SysWow64\msvcp100.dll
2014-05-11 22:26 . 2014-06-07 02:54	63704	----a-w-	c:\windows\system32\drivers\mwac.sys
2014-05-11 22:25 . 2014-06-07 02:54	25816	----a-w-	c:\windows\system32\drivers\mbam.sys
2014-05-08 09:32 . 2014-06-12 11:14	3178496	----a-w-	c:\windows\system32\rdpcorets.dll
2014-05-08 09:32 . 2014-06-12 11:14	16384	----a-w-	c:\windows\system32\RdpGroupPolicyExtension.dll
2014-04-25 02:34 . 2014-06-13 23:11	801280	----a-w-	c:\windows\system32\usp10.dll
2014-04-25 02:06 . 2014-06-13 23:11	626688	----a-w-	c:\windows\SysWow64\usp10.dll
2009-07-06 01:43 . 2011-03-23 02:40	943104	----a-w-	c:\program files\amis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-06-10 08:39	1730264	----a-w-	c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-06-10 08:39	1730264	----a-w-	c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-06-10 08:39	1730264	----a-w-	c:\program files\Microsoft Office 15\root\office15\grooveex.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-06-12 6564120]
"StrongVPN Client"="c:\program files (x86)\StrongVPN\StrongDial.exe" [2014-07-18 1666544]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2011-10-12 2068856]
"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2014-07-04 109784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files (x86)\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-12 43848]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-04-30 421888]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-05-16 3830224]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2013-03-27 6365920]
"AcronisTibMounterMonitor"="c:\program files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2013-01-10 1103424]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2011-10-12 2068856]
"DNS7reminder"="c:\program files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe" [2010-10-27 328992]
"Wondershare Helper Compact.exe"="c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2013-07-25 1985824]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-05-28 273544]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-05-26 152392]
"HOfficeViewerUpdate"="c:\program files (x86)\HNC\HOfficeViewer80\HncUtils\HncViewerChecker.exe" [2012-06-18 1920360]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2010-08-20 487562]
"BSDAppUpdater"="c:\program files (x86)\Common Files\BSD\AppUpdater\BSDChecker.exe" [2010-11-23 1660232]
"Aimersoft Helper Compact.exe"="c:\program files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe" [2012-02-20 1666560]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-05-07 256896]
.
c:\users\Carl\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Password Safe.lnk - c:\program files (x86)\Password Safe\pwsafe.exe -s [2014-2-7 4425728]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-1 1079584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0010412]
IME File	REG_SZ imkr80.ime
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxdnserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxdnserv.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys;c:\windows\SYSNATIVE\drivers\btusbflt.sys [x]
R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
R3 rcmirror;rcmirror;c:\windows\system32\DRIVERS\rcmirror.sys;c:\windows\SYSNATIVE\DRIVERS\rcmirror.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys;c:\windows\SYSNATIVE\DRIVERS\vidsflt.sys [x]
S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys;c:\windows\SYSNATIVE\DRIVERS\cmderd.sys [x]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys;c:\windows\SYSNATIVE\DRIVERS\cmdguard.sys [x]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys;c:\windows\SYSNATIVE\DRIVERS\cmdhlp.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
S2 BcmBtRSupport;Bluetooth Driver Management Service;c:\windows\system32\BtwRSupportService.exe;c:\windows\SYSNATIVE\BtwRSupportService.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 DragonSvc;Dragon Service;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe;c:\program files (x86)\Common Files\Nuance\dgnsvc.exe [x]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe;c:\program files (x86)\Comodo\Dragon\dragon_updater.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 GsServer;GoodSync Server;c:\program files\Siber Systems\GoodSync\Gs-Server.exe;c:\program files\Siber Systems\GoodSync\Gs-Server.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe;c:\windows\SYSNATIVE\lxdncoms.exe [x]
S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [x]
S2 StrongVPN Service;StrongVPN Service;c:\program files (x86)\StrongVPN\StrongService.exe;c:\program files (x86)\StrongVPN\StrongService.exe [x]
S2 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
S3 bcbtums;Bluetooth USB LD Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]
S3 btwampfl;btwampfl;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
S3 tapstrong;StrongVPN Adapter;c:\windows\system32\DRIVERS\tapstrong.sys;c:\windows\SYSNATIVE\DRIVERS\tapstrong.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-11 13:49]
.
2014-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cf904db6bccd55.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 10:10]
.
2014-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cf904db8563a05.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-19 10:10]
.
2014-07-07 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\windows\system32\rundll32.exe [2009-07-13 01:14]
.
2014-07-07 c:\windows\Tasks\Privacy Controls_{6ACBB9C3-04E2-11E4-AFB1-F04DA267B03D}.job
- c:\program files (x86)\ParetoLogic\Privacy Controls\Pareto_PC.exe [2013-05-23 21:53]
.
2014-07-18 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 89d96e21-0900-4f2a-9d96-c2751ce3503a.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
2014-07-18 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task b28be43d-0e44-486f-8b61-f2e15d77c340.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2011-05-04 17:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC}]
2013-11-15 12:17	842408	----a-w-	c:\program files\AdTrustMedia\PrivDog\1.8.0.15\trustedads.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-06-10 10:07	2335960	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-06-10 10:07	2335960	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-06-10 10:07	2335960	----a-w-	c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2013-03-27 13:37	2818800	----a-w-	c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2013-03-27 13:37	2818800	----a-w-	c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2013-03-27 13:37	2818800	----a-w-	c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2013-07-23 13632216]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"EzPrint"="c:\program files (x86)\Lexmark 2600 Series\ezprint.exe" [2010-02-04 107176]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-02-15 516928]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2014-03-25 1275608]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2013-09-12 5618456]
"lxdnmon.exe"="c:\program files (x86)\Lexmark 2600 Series\lxdnmon.exe" [2010-02-04 660136]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mentalfloss.com/
mDefault_Search_URL = hxxp://www.google.com/
mSearch Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:21320
uSearchAssistant = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/
IE: Customize Menu - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
IE: Save Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
Trusted Zone: brs-llc.com\tess
TCP: DhcpNameServer = 168.126.63.1 168.126.63.2
TCP: Interfaces\{71954841-135B-4F40-A9CD-043CD2C0A4F6}: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{722ED704-906C-46A6-8370-CBEB7A9BB0F6}: NameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{7CF4ED4E-F7DF-4E4A-96F1-D2B07E5E91D0}: NameServer = 216.169.129.2 216.169.130.2
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B20273131313: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{DFF3FE39-CF32-4E36-94DA-895958524BDA}\C4740255B273130343: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{EC9D303B-2D0C-4783-87DA-46DD644894B0}: NameServer = 0.0.0.0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-IObit Surfing Protection_is1 - c:\program files (x86)\IObit\Surfing Protection\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\COMODO\CIS\Installer\Sym_Cam\CIS]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
"Key"="ActionsPane3"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0\Solutions\http://schemas.microsoft.com/office/smartdocuments/2003\0]
"Key"="http://schemas.microsoft.com/office/smartdocuments/2003"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0\Solutions\http://schemas.microsoft.com/office/smartdocuments/2003\0\{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}\Alias]
"0"="Microsoft Actions Pane 3"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\cmdAgent\Mode\Configurations]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\cmdAgent\Mode\Data]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\cmdAgent\Mode\Options]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\Software\COMODO\Cam]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\Software\COMODO\Firewall Pro]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,59,00,53,00,\
.
Completion time: 2014-07-18 21:10:49
ComboFix-quarantined-files.txt 2014-07-18 12:10
ComboFix2.txt 2014-07-02 11:44
.
Pre-Run: 196,858,347,520 bytes free
Post-Run: 196,497,944,576 bytes free
.
- - End Of File - - 19508505936FACA23FED700210CB1C55


----------



## referee07 (Sep 11, 2003)

eddie, I ran ShellExView again using "*XPSSHHDR.DLL*." Please see below for the log from this run:

==================================================
Extension Name : 
Disabled : No
Type : Thumbnail
Description : Package Document Shell Extension Handler
Version : 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
My Computer : No
Desktop : No
Control Panel : No
My Network Places : No
Entire Network : No
Remote Computer : No
Filename : C:\Windows\system32\XPSSHHDR.DLL
CLSID : {44121072-A222-48f2-A58A-6D9AD51EBBE9}
File Created Time : 7/14/2009 9:38:01 AM
CLSID Modified Time: 7/14/2009 1:53:38 PM
Microsoft : Yes
File Extensions : .dwfx, .easmx, .edrwx, .eprtx, .jtx, .xps
File Attributes : A
File Size : 706,560
.NET Extension : No
Digital Signature : 
==================================================


----------



## referee07 (Sep 11, 2003)

eddie, I posted a thread this morning about an Internet issue my computer seems to be having, and a member replied suggesting that I restore my computer. I replied that you are helping me with a possible malware problem and wanted to check with you before I restored my computer. (Please see below.) Should I restore my computer now and will that undo what has been thus far? Thanks again.

plodr. thanks for the reply. I my computer is using Windows 7 Home Premium and Internet Explorer 11. I haven't tried restoring. I think that all of this started happening two or three days ago. Right now another TechGuy.com member is helping me with a possible malware problem and I don't want to undo what he has instructed me to do. I'll check with him before trying the restore. Thanks again for your reply.


----------



## eddie5659 (Mar 19, 2001)

Just had a look, and what Terry suggests is a good thing. He's very good at networking etc, and is also a Moderator like me, so he knows who I am 

I'll reply to the thread in a minute, but looking at the ComboFix log, it looks liek a lot was removed. Did these issues start happening after you ran the Combofix fix? Just curious, as what can help one person may sometimes not help another. If it did, the only things we removed was the Iobit stuff, and tasks which were redundant. 

I'll reply in a min with the next stuff to do, as I feel we're moving along quite well. Just let me know about the IE stuff


----------



## eddie5659 (Mar 19, 2001)

Do you use a Proxy? If not, we'll remove the entries, but just thought I'd double-check first. Its not a problem, just prefer to ask before I remove anything.

----------------

Can you re-run SystemLook but with the following code, to see whats left 


```
:filefind
*IObit*.*
*Advanced SystemCare*.*
*Malware Fighter*.*
*Surfing Protection*.*
*ParetoLogic*.*
*gkcefkcdkepgkpbgncjchhbjgoanleod*.*
*Registry Reviver*.*
:folderfind
*IObit*
*Advanced SystemCare*
*Malware Fighter*
*Surfing Protection*
*ParetoLogic*
*gkcefkcdkepgkpbgncjchhbjgoanleod*
*Registry Reviver*
:reg
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA}] /sub
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD}] /sub
:regfind
IObit
Advanced SystemCare
Malware Fighter
Surfing Protection
ParetoLogic
gkcefkcdkepgkpbgncjchhbjgoanleod
Registry Reviver
```
--------------------

For the internet issues, which email provider are you using, as it may be a setting that is stopping you from clicking on the links? Does Youtube work okay?

eddie


----------



## referee07 (Sep 11, 2003)

eddie, thanks for the reply. Regarding the IE issues, I got confused regarding the problems that my two computers are having. :~) I recently purchased a Gateway LT40 mini computer for traveling, and this is the computer with the IE problems. And, I am using a Dell laptop computer for my "desktop" (home) computer, and this is the computer with the possible malware problem. Regarding your post above, I do use a VPN; would this be considered a proxy? (I didn't run SystemLook with the above code because I wasn't sure if the VPN would be considered a proxy.) Upon receiving your reply, I'll run SystemLook with the above code if you indicate that is what I should do. Thanks again for all of your help.


----------



## eddie5659 (Mar 19, 2001)

Ah, so its a different computer. Then carry on with the other thread, as it shouldn't conflict with this one 

The VPN may be showing as a proxy, as its basically a secure network. That's fine, I'll leave them be. Its just there are some infections that install proxies, to divert you to a different country. But this does look legit on yours, and as far as I know, you're not having any redirects.

Regarding the SystemLook, its not going to delete anything, its just a looking tool. Plus, nothing in there is about the proxies, so its okay to run it 

eddie


----------



## referee07 (Sep 11, 2003)

eddie, thanks again for the reply and he help. Below is the first part of the SystemLook Log. I'll send the rest in the next post.

SystemLook 30.07.11 by jpshortstuff
Log created at 21:24 on 22/07/2014 by Carl
Administrator - Elevation successful

========== filefind ==========

Searching for "*IObit*.*"
C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\magpie_IObitDel.dll	--a---- 244904 bytes	[12:17 15/11/2013]	[12:17 15/11/2013] 05C4B42E3FD00AE28C180F103262A72D
C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\mfc100u_IObitDel.dll	--a---- 4368720 bytes	[14:56 13/11/2013]	[14:56 13/11/2013] F841F32AD816DBF130F10D86FAB99B1A
C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\msvcp100_IObitDel.dll	--a---- 421200 bytes	[14:56 13/11/2013]	[14:56 13/11/2013] 03E9314004F504A14A61C3D364B62F66
C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\msvcr100_IObitDel.dll	--a---- 770384 bytes	[14:56 13/11/2013]	[14:56 13/11/2013] 67EC459E42D3081DD8FD34356F7CAFC1
C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\scriptservice_IObitDel.dll	--a---- 114344 bytes	[12:17 15/11/2013]	[12:17 15/11/2013] 4641AA83DFF7D56239E506DDB2A559DF
C:\Program Files (x86)\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc_IObitDel.exe	--a---- 525480 bytes	[12:17 15/11/2013]	[12:17 15/11/2013] 0E356FD8A5B53CACF33C9E51365CE4FC
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter Pro.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:48 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter Pro.exe.dat	--a---- 687 bytes	[13:48 19/04/2013]	[13:48 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter.exe.dat	--a---- 687 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\IObit Uninstaller\IObitDownloader.exe.vir	--a---- 2267968 bytes	[01:25 17/05/2014]	[01:25 17/05/2014] E31B1FD6DCA81D6C8584E44A433602B7
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter Pro.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:48 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter Pro.exe.dat	--a---- 687 bytes	[13:48 19/04/2013]	[13:48 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter.exe.dat	--a---- 687 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\Users\Carl\ntuser.dat.iobit	--a---- 14233600 bytes	[12:03 19/10/2013]	[12:17 25/06/2014] 62803F5B83666FEB0BC60C4E4971ECD0
C:\Users\Carl\AppData\Local\Microsoft\Windows\UsrClass.dat.iobit	--a---- 4153344 bytes	[12:03 19/10/2013]	[12:17 25/06/2014] F9C1206AFEE25DE1565AC6940DADDB0F
C:\Users\Carl\AppData\LocalLow\Siber Systems\RoboForm\UserData\Iobit Find Phone.rfp	--a---- 1878 bytes	[10:33 26/01/2014]	[10:33 26/01/2014] FDE2A34C66FA4CAE293A9B5200FFB11B
C:\Users\Carl\AppData\LocalLow\Siber Systems\RoboForm\UserData\IObit.rfp	--a---- 7453 bytes	[12:25 21/05/2014]	[12:25 21/05/2014] C8405A58687C81829DCC83FD08DD8A8F
C:\Users\Carl\Desktop\Iobit Find Phone.url	--a---- 165 bytes	[10:33 26/01/2014]	[10:33 26/01/2014] E43333C098D3124D185FCD5E11337EDE
C:\Users\Carl\Documents\My RoboForm Data\Default Profile\Iobit Find Phone.rfp	--a---- 1878 bytes	[10:33 26/01/2014]	[10:33 26/01/2014] FDE2A34C66FA4CAE293A9B5200FFB11B
C:\Users\Carl\Documents\My RoboForm Data\Default Profile\IObit.rfp	--a---- 7453 bytes	[12:25 21/05/2014]	[12:25 21/05/2014] C8405A58687C81829DCC83FD08DD8A8F
C:\Users\Carl\Favorites\Download IObit Freeware.url	--a---- 103 bytes	[01:56 11/11/2011]	[11:42 19/07/2014] 1CC05D805C3A8DF2CFAE8C93767B051C
C:\Windows\Prefetch\IOBITUNINSTALLER.EXE-728B15E6.pf	--a---- 56512 bytes	[09:01 20/07/2014]	[09:01 20/07/2014] FE54C3C4A724A99D7F792DD62D6E3F16
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.iobit	--a---- 245760 bytes	[12:03 19/10/2013]	[12:17 25/06/2014] A357BCFEE83D03822D37A1CC10CB00B4
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.iobit	--a---- 450560 bytes	[12:03 19/10/2013]	[12:17 25/06/2014] C300087F4633854F46088906329077D4
C:\Windows\System32\IObitSmartDefragExtension.dll	--a---- 121856 bytes	[12:38 21/01/2014]	[06:54 08/01/2014] 6A6E91C06ACDBE1D85A4EC469BBB8EBB
C:\Windows\System32\config\components.iobit	--a---- 32292864 bytes	[06:49 31/08/2013]	[06:49 31/08/2013] 277D60461DE0B9F5F26FEA63685AAB34
C:\Windows\System32\config\default.iobit	--a---- 5615616 bytes	[12:03 19/10/2013]	[12:03 19/10/2013] 87DB12F0A9E948D48509F92FB44E8816
C:\Windows\System32\config\sam.iobit	--a---- 94208 bytes	[12:03 19/10/2013]	[12:03 19/10/2013] BD09352F66E870A39C90628311C02276
C:\Windows\System32\config\security.iobit	--a---- 811008 bytes	[12:03 19/10/2013]	[12:03 19/10/2013] 696F0E83D4EAF769348E29FE210C76FC
C:\Windows\System32\config\software.iobit	--a---- 107335680 bytes	[12:03 19/10/2013]	[12:03 19/10/2013] FA0C0D74E8C919218E572B132214C4D9
C:\Windows\System32\SMI\Store\Machine\schema.dat.iobit	--a---- 10928128 bytes	[12:11 29/06/2012]	[12:11 29/06/2012] 13B85573CB42734BD223CEAC69ED3F36

Searching for "*Advanced SystemCare*.*"
No files found.

Searching for "*Malware Fighter*.*"
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter Pro.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:48 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter Pro.exe.dat	--a---- 687 bytes	[13:48 19/04/2013]	[13:48 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\ProgramData\IObit\ASCDownloader\IObit Malware Fighter.exe.dat	--a---- 687 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter Pro.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:48 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter Pro.exe.dat	--a---- 687 bytes	[13:48 19/04/2013]	[13:48 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter.exe	--a---- 18110448 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] AE9F6DD240764F6AF28380704C09116D
C:\Users\All Users\IObit\ASCDownloader\IObit Malware Fighter.exe.dat	--a---- 687 bytes	[13:47 19/04/2013]	[13:47 19/04/2013] 55FEF7156A05D9744B40F2ED68F5B740

Searching for "*Surfing Protection*.*"
No files found.

Searching for "*ParetoLogic*.*"
C:\AdwCleaner\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic\ParetoLogic Privacy Controls\Launch ParetoLogic Privacy Controls.lnk.vir	--a---- 1210 bytes	[07:57 30/06/2013]	[04:57 29/06/2014] EFD20BC925FFF50DC5A3FBBB40B3436B
C:\AdwCleaner\Quarantine\C\Windows\System32\Tasks\paretologic registration3.vir	--a---- 3128 bytes	[07:57 30/06/2013]	[04:57 29/06/2014] 19389D99C503620AC54861A2D8E77316
C:\AdwCleaner\Quarantine\C\Windows\Tasks\paretologic registration3.job.vir	--a---- 466 bytes	[07:57 30/06/2013]	[09:00 01/07/2014] 16ED1C9A273410ADEDC8C4958D5051F8
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic\ParetoLogic Privacy Controls\Launch ParetoLogic Privacy Controls.lnk	--a---- 1210 bytes	[07:52 06/07/2014]	[07:52 06/07/2014] E9E4876B22260DD3F8C24642B954AB17
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\ParetoLogic\ParetoLogic Privacy Controls\Launch ParetoLogic Privacy Controls.lnk	--a---- 1210 bytes	[07:52 06/07/2014]	[07:52 06/07/2014] E9E4876B22260DD3F8C24642B954AB17
C:\Users\Carl\Documents\Documents\ParetoLogic - Buy - Thank You for Registering.url	--a---- 191 bytes	[11:03 22/03/2011]	[02:50 20/03/2011] CE50737540A7E72C860AFA0981EBD7F9
C:\Users\Carl\Documents\Documents\ParetoLogic Unregister Program.exe	--a---- 352256 bytes	[13:13 22/03/2011]	[22:18 30/05/2010] 61F5167FFD767446567DCC20B8F3AF2B
C:\Users\Public\Desktop\ParetoLogic Privacy Controls.lnk	--a---- 1170 bytes	[07:52 06/07/2014]	[07:52 06/07/2014] D649A488955E7D30AA51C8A70E082B70
C:\Windows\System32\Tasks\ParetoLogic Registration3	--a---- 2624 bytes	[07:52 06/07/2014]	[07:52 06/07/2014] 84B7550A4E02D5C15632DF698603C10D
C:\Windows\Tasks\ParetoLogic Registration3.job	--a---- 418 bytes	[07:52 06/07/2014]	[10:57 07/07/2014] 8F62B22F8E48892DE6939EB329EF36C1

Searching for "*gkcefkcdkepgkpbgncjchhbjgoanleod*.*"
No files found.

Searching for "*Registry Reviver*.*"
No files found.

========== folderfind ==========

Searching for "*IObit*"
C:\IObit	d------	[00:21 09/11/2012]
C:\Program Files (x86)\IObit	d------	[09:00 20/07/2014]
C:\Program Files (x86)\IObit\IObit Uninstaller	d------	[09:01 20/07/2014]
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected] d------	[09:01 20/07/2014]
C:\ProgramData\IObit	d------	[01:41 26/11/2011]
C:\ProgramData\IObit\IObit Uninstaller	d------	[14:10 19/04/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit	d------	[14:19 16/07/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\IObit Malware Fighter	d------	[11:54 18/07/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\IObit Uninstaller	d------	[11:56 18/07/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected] d------	[11:58 18/07/2014]
C:\Qoobox\Quarantine\C\Users\Carl\AppData\Roaming\IObit	d------	[14:20 16/07/2014]
C:\Qoobox\Quarantine\C\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller	d------	[14:21 16/07/2014]
C:\Users\All Users\IObit	d------	[01:41 26/11/2011]
C:\Users\All Users\IObit\IObit Uninstaller	d------	[14:10 19/04/2014]
C:\Users\Carl\AppData\LocalLow\IObit	d------	[00:08 25/10/2012]
C:\Users\Carl\AppData\Roaming\IObit	d------	[09:00 20/07/2014]
C:\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller	d------	[09:01 20/07/2014]
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit	d------	[02:43 26/11/2011]
C:\_OTL\MovedFiles\06272014_210615\C_Program Files (x86)\IObit	d------	[12:07 27/06/2014]
C:\_OTL\MovedFiles\06272014_210615\C_Program Files (x86)\IObit\IObit Malware Fighter	d------	[12:07 27/06/2014]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit	d------	[01:56 11/11/2011]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\IObit Malware Fighter	d------	[13:48 19/04/2013]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\IObit Uninstaller	d------	[13:10 02/12/2011]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Default\AppData\Roaming\IObit	d------	[00:08 08/09/2012]

Searching for "*Advanced SystemCare*"
C:\IObit\Advanced SystemCare V6	d------	[00:21 09/11/2012]
C:\ProgramData\IObit\Advanced SystemCare V5	d------	[01:41 26/11/2011]
C:\ProgramData\IObit\Advanced SystemCare V6	d------	[00:08 25/10/2012]
C:\ProgramData\IObit\Advanced SystemCare V7	d------	[22:44 10/11/2013]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\Advanced SystemCare 4	d------	[11:52 18/07/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\Advanced SystemCare 5	d------	[11:52 18/07/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\Advanced SystemCare 6	d------	[11:53 18/07/2014]
C:\Qoobox\Quarantine\C\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7	d------	[14:20 16/07/2014]
C:\Users\All Users\IObit\Advanced SystemCare V5	d------	[01:41 26/11/2011]
C:\Users\All Users\IObit\Advanced SystemCare V6	d------	[00:08 25/10/2012]
C:\Users\All Users\IObit\Advanced SystemCare V7	d------	[22:44 10/11/2013]
C:\Users\Carl\AppData\LocalLow\IObit\Advanced SystemCare V6	d------	[00:08 25/10/2012]
C:\Users\Carl\AppData\LocalLow\IObit\Advanced SystemCare V7	d------	[22:44 10/11/2013]
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7	d------	[09:00 20/07/2014]
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V5	d------	[02:43 26/11/2011]
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V6	d------	[00:08 25/10/2012]
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V7	d------	[08:03 12/11/2013]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V4	d------	[01:56 11/11/2011]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V5	d------	[01:39 26/11/2011]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V6	d------	[00:08 25/10/2012]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7	d------	[22:44 10/11/2013]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Default\AppData\Roaming\IObit\Advanced SystemCare V5	d------	[00:08 08/09/2012]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Default\AppData\Roaming\IObit\Advanced SystemCare V6	d------	[23:29 23/04/2013]

Searching for "*Malware Fighter*"
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\IObit Malware Fighter	d------	[11:54 18/07/2014]
C:\_OTL\MovedFiles\06272014_210615\C_Program Files (x86)\IObit\IObit Malware Fighter	d------	[12:07 27/06/2014]
C:\_OTL\MovedFiles\06272014_210615\C_Users\Carl\AppData\Roaming\IObit\IObit Malware Fighter	d------	[13:48 19/04/2013]

Searching for "*Surfing Protection*"
C:\Program Files (x86)\IObit\Surfing Protection	d------	[09:01 20/07/2014]
C:\Program Files (x86)\IObit\LiveUpdate\update\Surfing Protection	d------	[09:02 20/07/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\Surfing Protection	d------	[11:58 18/07/2014]
C:\_OTL\MovedFiles\06272014_210615\C_Program Files (x86)\IObit\Surfing Protection	d------	[12:07 27/06/2014]

Searching for "*ParetoLogic*"
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ParetoLogic	d------	[23:50 27/06/2014]
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Common Files\ParetoLogic	d------	[23:50 27/06/2014]
C:\AdwCleaner\Quarantine\C\ProgramData\ParetoLogic	d------	[23:50 27/06/2014]
C:\AdwCleaner\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic	d------	[23:50 27/06/2014]
C:\AdwCleaner\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic\ParetoLogic Privacy Controls	d------	[23:50 27/06/2014]
C:\AdwCleaner\Quarantine\C\ProgramData\ParetoLogic\UUS3\ParetoLogic Privacy Controls	d------	[23:50 27/06/2014]
C:\AdwCleaner\Quarantine\C\Users\Carl\AppData\Roaming\ParetoLogic	d------	[23:50 27/06/2014]
C:\Program Files (x86)\ParetoLogic	d------	[07:52 06/07/2014]
C:\Program Files (x86)\Common Files\ParetoLogic	d------	[07:52 06/07/2014]
C:\ProgramData\ParetoLogic	d------	[07:52 06/07/2014]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic	d------	[07:52 06/07/2014]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParetoLogic\ParetoLogic Privacy Controls	d------	[07:52 06/07/2014]
C:\ProgramData\ParetoLogic\UUS3\ParetoLogic Privacy Controls	d------	[07:52 06/07/2014]
C:\Users\All Users\ParetoLogic	d------	[07:52 06/07/2014]
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\ParetoLogic	d------	[07:52 06/07/2014]
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\ParetoLogic\ParetoLogic Privacy Controls	d------	[07:52 06/07/2014]
C:\Users\All Users\ParetoLogic\UUS3\ParetoLogic Privacy Controls	d------	[07:52 06/07/2014]
C:\Users\Carl\AppData\Roaming\ParetoLogic	d------	[07:52 06/07/2014]

Searching for "*gkcefkcdkepgkpbgncjchhbjgoanleod*"
C:\AdwCleaner\Quarantine\C\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkcefkcdkepgkpbgncjchhbjgoanleod	d------	[23:50 27/06/2014]
C:\Qoobox\Quarantine\C\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\Chrome\gkcefkcdkepgkpbgncjchhbjgoanleod	d------	[11:54 18/07/2014]

Searching for "*Registry Reviver*"
No folders found.

========== reg ==========

[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{367E135E-2B2E-A077-3E92-18F772EF5DAA}]
(Unable to open key - key not found)

[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{74E827C3-21E1-1EAA-EA3C-BF875B2231DD}]
"pajgppcmeiofjeglegmkcdcpdeeadlnn"=69 61 65 67 66 6c 6c 63 61 69 6c 6a 69 70 66 64 6b 6e 00 (REG_BINARY)

========== regfind ==========

Searching for "IObit"
[HKEY_CURRENT_USER\Software\IObit]
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_CURRENT_USER\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 6\"=""
[HKEY_CURRENT_USER\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\IObit Uninstaller\"=""
[HKEY_CURRENT_USER\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\"=""
[HKEY_CURRENT_USER\Software\Safer Networking Limited\Localization]
"C:\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller\"=""
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe"="Uninstall Programs"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"="Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObit Malware Fighter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\//\//\IObit Cloud Anti-Malwre]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}]
@="IObit Uninstaller"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon]
@="C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open\command]
@=""C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe" control_statistics"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFShellExt.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32]
@="C:\PROGRA~2\IObit\SURFIN~1\BROWER~1\ASCPLU~1.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFShellExt.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\IObit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2859903.cab_Temp\2B1B6454-9ACC-4538-BB8F-1C1D4C86E95D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2918077.cab_Temp\3F0E7F9D-62FD-48CC-871B-C767DE3B1C87\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2953522.cab_Temp\23AC13A6-605C-4037-904A-C382ABF1746C\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2964358.cab_Temp\6A29EDC2-A7B6-4CEC-AD8B-A9FE9D32EAF6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB976002.cab_Temp\078B2A3F-9D25-4049-9858-F3DF2D103C95\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_26_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_27_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_28_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929733.cab_Temp\6FE88919-70EF-41A6-81BE-7FD5A659FD55\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_31_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_37_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_38_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_39_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_40_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_4_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_54_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_55_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_83_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542_SP1~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903_RTM~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2859903.cab_Temp\2B1B6454-9ACC-4538-BB8F-1C1D4C86E95D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2859903.cab_Temp\2B1B6454-9ACC-4538-BB8F-1C1D4C86E95D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2918077.cab_Temp\3F0E7F9D-62FD-48CC-871B-C767DE3B1C87\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2918077.cab_Temp\3F0E7F9D-62FD-48CC-871B-C767DE3B1C87\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929733.cab_Temp\6FE88919-70EF-41A6-81BE-7FD5A659FD55\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929733.cab_Temp\6FE88919-70EF-41A6-81BE-7FD5A659FD55\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2953522.cab_Temp\23AC13A6-605C-4037-904A-C382ABF1746C\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2953522.cab_Temp\23AC13A6-605C-4037-904A-C382ABF1746C\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2964358.cab_Temp\6A29EDC2-A7B6-4CEC-AD8B-A9FE9D32EAF6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2964358.cab_Temp\6A29EDC2-A7B6-4CEC-AD8B-A9FE9D32EAF6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002_RTM~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB976002.cab_Temp\078B2A3F-9D25-4049-9858-F3DF2D103C95\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB976002.cab_Temp\078B2A3F-9D25-4049-9858-F3DF2D103C95\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ADSRemoval]
"UninstallString"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\unins000.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ADSRemoval]
"InstallLocation"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 6]
"installpath"="C:\Program Files (x86)\IObit\Advanced SystemCare 6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 7]
"installpath"="C:\Program Files (x86)\IObit\Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 7]
"apppath"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\ASC]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASC.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\IObit Malware Fighter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\LiveUpdate]
"AppPath"="C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\RealTimeProtector]
"InstallLocation"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\RegistryDefragBoot]
"LogPath"="\??\C:\Program Files (x86)\IObit\Advanced SystemCare 7\BootTimeLog\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Uninstaller 3]
"UninstallerFree"="C:\Program Files (x86)\IObit\IObit Uninstaller"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]


----------



## referee07 (Sep 11, 2003)

SystemLook Log; 2nd Post:
Obit\Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"InstallLocation"="C:\Program Files (x86)\IObit\Surfing Protection\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"DisplayIcon"="C:\Program Files (x86)\IObit\Surfing Protection\PluginInstall.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"UninstallString"=""C:\Program Files (x86)\IObit\Surfing Protection\unins000.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"QuietUninstallString"=""C:\Program Files (x86)\IObit\Surfing Protection\unins000.exe" /SILENT"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"Publisher"="IObit"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"URLInfoAbout"="http://www.iobit.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"HelpLink"="http://www.iobit.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"URLUpdateInfo"="http://www.iobit.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32]
@="C:\PROGRA~2\IObit\SURFIN~1\BROWER~1\ASCPLU~1.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFShellExt.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LiveUpdateSvc]
"ImagePath"="C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\AdvancedSystemCareService7]
"ImagePath"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LiveUpdateSvc]
"ImagePath"="C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\26]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\26]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-U7BFO.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\28]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\28]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-HE06J.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\34]
"Filename"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\34]
"DeviceName"="C:\Users\Carl\AppData\Local\Temp\is-G4UIJ.tmp\iobitappsToolbar-stub-1.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LiveUpdateSvc]
"ImagePath"="C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe"
[HKEY_USERS\.DEFAULT\Software\IObit]
[HKEY_USERS\.DEFAULT\Software\IObit\Advanced SystemCare 6]
"OldPath"="C:\Program Files (x86)\IObit\Advanced SystemCare 5\unins000.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\IObit]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 6\"=""
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\IObit Uninstaller\"=""
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\"=""
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Safer Networking Limited\Localization]
"C:\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller\"=""
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe"="Uninstall Programs"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"="Advanced SystemCare 7"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe"="Uninstall Programs"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"="Advanced SystemCare 7"
[HKEY_USERS\S-1-5-18\Software\IObit]
[HKEY_USERS\S-1-5-18\Software\IObit\Advanced SystemCare 6]
"OldPath"="C:\Program Files (x86)\IObit\Advanced SystemCare 5\unins000.exe"

Searching for "Advanced SystemCare"
[HKEY_CURRENT_USER\Software\IObit\Advanced SystemCare 7]
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_CURRENT_USER\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 6\"=""
[HKEY_CURRENT_USER\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\"=""
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"="Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection]
@="Advanced SystemCare Browser Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}]
@="Advanced SystemCare Browser Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2592687.cab_Temp\FF8FBE42-939B-4E17-9D62-64368D6082F0\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2859903.cab_Temp\2B1B6454-9ACC-4538-BB8F-1C1D4C86E95D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2918077.cab_Temp\3F0E7F9D-62FD-48CC-871B-C767DE3B1C87\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2953522.cab_Temp\23AC13A6-605C-4037-904A-C382ABF1746C\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2964358.cab_Temp\6A29EDC2-A7B6-4CEC-AD8B-A9FE9D32EAF6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB976002.cab_Temp\078B2A3F-9D25-4049-9858-F3DF2D103C95\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_26_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_27_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_28_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929733.cab_Temp\6FE88919-70EF-41A6-81BE-7FD5A659FD55\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_31_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_37_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_38_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_39_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_40_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_4_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_54_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_55_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_83_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2574819.cab_Temp\C79176B0-3C92-4E00-93E3-68F956631D36\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2830477.cab_Temp\88DED9EB-6672-4B70-89BC-ADA5F597A86B\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542_SP1~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB2585542.cab_Temp\B76A9E05-F7D9-44BC-9DE9-03493CF5876D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836942.cab_Temp\5543E813-3442-4728-B834-244C5F69BFCE\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2836943.cab_Temp\F3DAEEF0-B7B3-4DE4-A8F7-4B80EA8712CF\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903_RTM~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2859903.cab_Temp\2B1B6454-9ACC-4538-BB8F-1C1D4C86E95D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2859903.cab_Temp\2B1B6454-9ACC-4538-BB8F-1C1D4C86E95D\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2918077.cab_Temp\3F0E7F9D-62FD-48CC-871B-C767DE3B1C87\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2918077.cab_Temp\3F0E7F9D-62FD-48CC-871B-C767DE3B1C87\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929437.cab_Temp\7E51F3E5-D3C4-4384-9F23-D3B3ADF2C0F5\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929733.cab_Temp\6FE88919-70EF-41A6-81BE-7FD5A659FD55\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2929733.cab_Temp\6FE88919-70EF-41A6-81BE-7FD5A659FD55\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2952664.cab_Temp\A0E3E309-D1EE-4322-9B6B-B1649876C724\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2953522.cab_Temp\23AC13A6-605C-4037-904A-C382ABF1746C\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2953522.cab_Temp\23AC13A6-605C-4037-904A-C382ABF1746C\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2964358.cab_Temp\6A29EDC2-A7B6-4CEC-AD8B-A9FE9D32EAF6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 7\KB2964358.cab_Temp\6A29EDC2-A7B6-4CEC-AD8B-A9FE9D32EAF6\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002_RTM~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB976002.cab_Temp\078B2A3F-9D25-4049-9858-F3DF2D103C95\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 5\KB976002.cab_Temp\078B2A3F-9D25-4049-9858-F3DF2D103C95\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"="\\?\C:\Program Files (x86)\IObit\Advanced SystemCare 6\KB2506143.cab_Temp\5C265570-B55C-4B61-B9BC-6DC03EB54FF8\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 4]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 5]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 6]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 6]
"installpath"="C:\Program Files (x86)\IObit\Advanced SystemCare 6"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 7]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 7]
"apppath"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\ASC]


----------



## referee07 (Sep 11, 2003)

System Look Log; 3rd Post:

"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASC.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\RealTimeProtector]
"InstallLocation"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\RegistryDefragBoot]
"LogPath"="\??\C:\Program Files (x86)\IObit\Advanced SystemCare 7\BootTimeLog\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}]
@="Advanced SystemCare Browser Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 6\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCExtMenu_64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@="C:\Program Files (x86)\IObit\Advanced SystemCare 7"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\AdvancedSystemCareService7]
"ImagePath"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\AdvancedSystemCareService7]
"DisplayName"="Advanced SystemCare Service 7"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\AdvancedSystemCareService7]
"Description"="Advanced SystemCare Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\17]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\SecurityHole_Backup\KB2876229.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"Filename"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\9]
"DeviceName"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\AutoUpdate.exe"
[HKEY_USERS\.DEFAULT\Software\IObit\Advanced SystemCare 6]
[HKEY_USERS\.DEFAULT\Software\IObit\Advanced SystemCare 6]
"OldPath"="C:\Program Files (x86)\IObit\Advanced SystemCare 5\unins000.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\IObit\Advanced SystemCare 7]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe]
"Path"="C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 6\"=""
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Safer Networking Limited\Localization]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\"=""
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"="Advanced SystemCare 7"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"="Advanced SystemCare 7"
[HKEY_USERS\S-1-5-18\Software\IObit\Advanced SystemCare 6]
[HKEY_USERS\S-1-5-18\Software\IObit\Advanced SystemCare 6]
"OldPath"="C:\Program Files (x86)\IObit\Advanced SystemCare 5\unins000.exe"

Searching for "Malware Fighter"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObit Malware Fighter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFShellExt.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFShellExt.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ADSRemoval]
"UninstallString"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\unins000.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ADSRemoval]
"InstallLocation"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\IObit Malware Fighter]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@="C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFShellExt.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\12]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\Adblock.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"Filename"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\15]
"DeviceName"="C:\Program Files (x86)\IObit\IObit Malware Fighter\adsremoval\IE\AdbUpdate.exe"

Searching for "Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\Advanced SystemCare 7]
"installpath"="C:\Program Files (x86)\IObit\Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"Inno Setup: App Path"="C:\Program Files (x86)\IObit\Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"InstallLocation"="C:\Program Files (x86)\IObit\Surfing Protection\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"Inno Setup: Icon Group"="Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"DisplayName"="Surfing Protection"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"DisplayIcon"="C:\Program Files (x86)\IObit\Surfing Protection\PluginInstall.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"UninstallString"=""C:\Program Files (x86)\IObit\Surfing Protection\unins000.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
"QuietUninstallString"=""C:\Program Files (x86)\IObit\Surfing Protection\unins000.exe" /SILENT"

Searching for "ParetoLogic"
[HKEY_CURRENT_USER\Software\ParetoLogic]
[HKEY_CURRENT_USER\Software\ParetoLogic\ParetoLogic Registration3]
[HKEY_CURRENT_USER\Software\ParetoLogic\ParetoLogic UNS]
[HKEY_CURRENT_USER\Software\ParetoLogic\ParetoLogic UNS\ParetoLogic Privacy Controls]
[HKEY_CURRENT_USER\Software\ParetoLogic\ParetoLogic UNS\ParetoLogic Privacy Controls]
"SettingsFilename"="C:\Program Files (x86)\ParetoLogic\Privacy Controls"
[HKEY_CURRENT_USER\Software\ParetoLogic\ParetoLogic UNS\ParetoLogic Privacy Controls]
"RegisterUrl"="http://redirect5.paretologic.com/?vid=1&lid=EN&cpid=88&pid=5&aid=4&key=32803-2B120-8BD64-FCD39"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\ParetoLogic\Privacy Controls\Pareto_PC.exe"="Paretologic Privacy Controls"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\uus3url-pl\shell\open\command]
@=""C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe" %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FBB9AA3B-B914-44B6-A519-B3EBEFF8952D}]
"Path"="\ParetoLogic Registration3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Registration3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}]
"InstallLocation"="C:\Program Files (x86)\ParetoLogic\Privacy Controls\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}]
"DisplayName"="ParetoLogic Privacy Controls"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}]
"DisplayIcon"="C:\Program Files (x86)\ParetoLogic\Privacy Controls\Pareto_PC.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}]
"UninstallString"="C:\Program Files (x86)\ParetoLogic\Privacy Controls\uninstaller.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}]
"URLInfoAbout"="http://www.ParetoLogic.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{29ACDA07-0CAD-4751-B3A4-3E03C5F74673}]
"Publisher"="ParetoLogic, Inc."
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ParetoLogic]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ParetoLogic\UUS3\Preset\ParetoLogic Privacy Controls]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ParetoLogic\UUS3\Preset\ParetoLogic Privacy Controls]
"AppExe"="C:\Program Files (x86)\ParetoLogic\Privacy Controls\Pareto_PC.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\44]
"Filename"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\44]
"DeviceName"="C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\ParetoLogic]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\ParetoLogic\ParetoLogic Registration3]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\ParetoLogic\ParetoLogic UNS]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\ParetoLogic\ParetoLogic UNS\ParetoLogic Privacy Controls]
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\ParetoLogic\ParetoLogic UNS\ParetoLogic Privacy Controls]
"SettingsFilename"="C:\Program Files (x86)\ParetoLogic\Privacy Controls"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\ParetoLogic\ParetoLogic UNS\ParetoLogic Privacy Controls]
"RegisterUrl"="http://redirect5.paretologic.com/?vid=1&lid=EN&cpid=88&pid=5&aid=4&key=32803-2B120-8BD64-FCD39"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\ParetoLogic\Privacy Controls\Pareto_PC.exe"="Paretologic Privacy Controls"
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\ParetoLogic\Privacy Controls\Pareto_PC.exe"="Paretologic Privacy Controls"

Searching for "gkcefkcdkepgkpbgncjchhbjgoanleod"
No data found.

Searching for "Registry Reviver"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"RestoreStatusDescription"="Registry Reviver Restore Point (06/01/14)"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\CisConfigs\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\CisConfigs\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\Software\COMODO\Firewall Pro\Configurations\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\CisConfigs\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\11]
"Filename"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations\2\Firewall\Policy\11]
"DeviceName"="C:\Program Files\ReviverSoft\Registry Reviver\RegistryReviver.exe"

eddie, thanks again.


----------



## eddie5659 (Mar 19, 2001)

Thanks for the logs, that took a long time to go through 

First of all, we'll create a backup of the Registry, just in case. 99.99% of the time nothing happens, but its better to be safe 

*Backing Up Your Registry*
Download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT*
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked
Press *OK*
Press *YES* to create the folder.










----------------

Now, onto the fix 

Run OTL 

Under the *Custom Scans/Fixes* box at the bottom, paste in the following


```
:Commands
[CREATERESTOREPOINT] 
:Files
C:\ProgramData\IObit
C:\Users\All Users\IObit
C:\IObit
C:\Program Files (x86)\IObit
C:\Users\Carl\AppData\LocalLow\IObit
C:\Users\Carl\AppData\Roaming\IObit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit
C:\Users\Carl\ntuser.dat.iobit
C:\Users\Carl\AppData\Local\Microsoft\Windows\UsrClass.dat.iobit
C:\Users\Carl\Favorites\Download IObit Freeware.url
C:\Windows\Prefetch\IOBITUNINSTALLER.EXE
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.iobit
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.iobit
C:\Windows\System32\IObitSmartDefragExtension.dll
C:\Windows\System32\config\components.iobit
C:\Windows\System32\config\default.iobit
C:\Windows\System32\config\sam.iobit
C:\Windows\System32\config\security.iobit
C:\Windows\System32\config\software.iobit
C:\Windows\System32\SMI\Store\Machine\schema.dat.iobit
:Reg
[-HKEY_CURRENT_USER\Software\IObit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\IObit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ADSRemoval]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LiveUpdateSvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\AdvancedSystemCareService7]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LiveUpdateSvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LiveUpdateSvc]
[-HKEY_USERS\.DEFAULT\Software\IObit]
[-HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\IObit]
[-HKEY_USERS\S-1-5-18\Software\IObit]
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe]
"Path"=-
[-HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe]
"Path"=-
[-HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe]
"Path"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObit Malware Fighter]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter]
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe"=-
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"=-
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe"=-
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"=-
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe"=-
[HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\//\//\IObit Cloud Anti-Malwre]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open\command]
@=""
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}]
@=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_26_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_27_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_28_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_31_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_37_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_38_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_39_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_40_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_4_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_54_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_55_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_83_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542_SP1~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903_RTM~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733_SP1~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358_RTM~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002_RTM~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~en-US~7.1.7601.16398]
"InstallLocation"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~~7.1.7601.16398]
"InstallLocation"=-
:Commands
[emptytemp]
[purity]
```
 *NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system*
Then click the *Run Fix* button at the top 
Click OK.
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply. The log is saved in the same location as OTL.


----------



## referee07 (Sep 11, 2003)

eddie, thanks for all of your hard work and help on this. I really appreciate it. Please see below for the log from running OTL with the above code:

All processes killed
Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\ProgramData\IObit\IObit Uninstaller folder moved successfully.
C:\ProgramData\IObit\ASCDownloader folder moved successfully.
C:\ProgramData\IObit\Advanced SystemCare V7\Homepage Protection folder moved successfully.
C:\ProgramData\IObit\Advanced SystemCare V7 folder moved successfully.
C:\ProgramData\IObit\Advanced SystemCare V6 folder moved successfully.
C:\ProgramData\IObit\Advanced SystemCare V5 folder moved successfully.
C:\ProgramData\IObit folder moved successfully.
File\Folder C:\Users\All Users\IObit not found.
C:\IObit\Advanced SystemCare V6 folder moved successfully.
C:\IObit folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\Update folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\Language folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\Database folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\images folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin\Img folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0\Plugin folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd\1.0.0_0 folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\bbmegnmpleoagolcnjnejdacakedpcgd folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome\content folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected]\chrome folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\[email protected] folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect folder moved successfully.
C:\Program Files (x86)\IObit\Surfing Protection folder moved successfully.
C:\Program Files (x86)\IObit\LiveUpdate\update\Surfing Protection\Database folder moved successfully.
C:\Program Files (x86)\IObit\LiveUpdate\update\Surfing Protection folder moved successfully.
C:\Program Files (x86)\IObit\LiveUpdate\update folder moved successfully.
C:\Program Files (x86)\IObit\LiveUpdate\Language folder moved successfully.
C:\Program Files (x86)\IObit\LiveUpdate folder moved successfully.
C:\Program Files (x86)\IObit\IObit Uninstaller folder moved successfully.
C:\Program Files (x86)\IObit folder moved successfully.
C:\Users\Carl\AppData\LocalLow\IObit\SafeBrowse folder moved successfully.
C:\Users\Carl\AppData\LocalLow\IObit\Advanced SystemCare V7 folder moved successfully.
C:\Users\Carl\AppData\LocalLow\IObit\Advanced SystemCare V6 folder moved successfully.
C:\Users\Carl\AppData\LocalLow\IObit folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\IObit Uninstaller folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\ProgramDeactivator folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Log folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Internet Booster folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Homepage Protection folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Boottime folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7\Backup folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit\Advanced SystemCare V7 folder moved successfully.
C:\Users\Carl\AppData\Roaming\IObit folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V7\ProgramDeactivator folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V7 folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V6\Log folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V6\Backup folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V6 folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare V5 folder moved successfully.
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit folder moved successfully.
C:\Users\Carl\ntuser.dat.iobit moved successfully.
C:\Users\Carl\AppData\Local\Microsoft\Windows\UsrClass.dat.iobit moved successfully.
C:\Users\Carl\Favorites\Download IObit Freeware.url moved successfully.
File\Folder C:\Windows\Prefetch\IOBITUNINSTALLER.EXE not found.
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.iobit moved successfully.
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.iobit moved successfully.
File\Folder C:\Windows\System32\IObitSmartDefragExtension.dll not found.
File\Folder C:\Windows\System32\config\components.iobit not found.
File\Folder C:\Windows\System32\config\default.iobit not found.
File\Folder C:\Windows\System32\config\sam.iobit not found.
File\Folder C:\Windows\System32\config\security.iobit not found.
File\Folder C:\Windows\System32\config\software.iobit not found.
File\Folder C:\Windows\System32\SMI\Store\Machine\schema.dat.iobit not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\IObit\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\IObit\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ADSRemoval\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IObit\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LiveUpdateSvc\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\AdvancedSystemCareService7\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\LiveUpdateSvc\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LiveUpdateSvc\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\IObit\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\IObit\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\IObit\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\ASCTray.exe not found.
Registry key HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe\ not found.
Registry key HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Microsoft\IntelliPoint\AppSpecific\ASCTray.exe not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\IObit Malware Fighter\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObit Malware Fighter\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe not found.
Registry value HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe not found.
Registry value HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files (x86)\IObit\IObit Uninstaller\Uninstaler_SkipUac.exe not found.
Registry value HKEY_USERS\S-1-5-21-1817415294-4033379586-1234686743-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\\C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\//\//\IObit Cloud Anti-Malwre\ deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon\\@|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open\command\\@|"" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38A6E5EA-6854-4F3C-AD6C-7FB6E92C5A8C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\InprocServer32\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}\\@ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{ACB9DC96-D7BB-430F-AE6B-97F0DFDEAFCC}\1.0\0\win64\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR\\@ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ASCPlugin_Protection.TASCBrowserProtection\\@ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Management-Odata-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-PowerShell-WTR-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RDP-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopClient-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-RemoteDesktopService-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-MiniLP~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package-TopLevel~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-WinMan-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_1_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_26_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_27_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_28_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_29_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_2_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_31_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_37_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_38_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_39_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_40_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_4_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_54_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_55_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_83_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB123456_client~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.1.7 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819_SP1~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.1.7 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2574819~31bf3856ad364e35~amd64~~6.1.2.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542_SP1~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2585542~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942_SP1~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836942~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943_SP1~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2836943~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903_RTM~31bf3856ad364e35~amd64~~10.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2859903~31bf3856ad364e35~amd64~~10.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077_SP1~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2918077~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437_RTM~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929437~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733_SP1~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2929733~31bf3856ad364e35~amd64~~6.1.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522_RTM~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2953522~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358_RTM~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB2964358~31bf3856ad364e35~amd64~~11.2.1.0 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002_RTM~31bf3856ad364e35~amd64~~6.1.1.14 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB976002~31bf3856ad364e35~amd64~~6.1.1.14 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\WIN8IP-Microsoft-Windows-WMI-Package~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~en-US~7.1.7601.16398 not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Management-Protocols-Package-Win7~31bf3856ad364e35~amd64~~7.1.7601.16398 not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Carl
->Temp folder emptied: 272461877 bytes
->Temporary Internet Files folder emptied: 42794656 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 506 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 5530270 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 44482995 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 761 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 348.00 mb

Error: Unable to interpret <---------> in the current context!

OTL by OldTimer - Version 3.2.69.0 log created on 07252014_082117

Files\Folders moved on Reboot...
C:\Users\Carl\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Users\Carl\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
C:\Windows\temp\DELLNOTEBOOK-20140725-0727.log moved successfully.
File\Folder C:\Windows\temp\officeclicktorun.exe_c2ruidll(201407250727307F0).log not found!
File\Folder C:\Windows\temp\officeclicktorun.exe_streamserver(201407250727337F0).log not found!
File move failed. C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


----------



## eddie5659 (Mar 19, 2001)

Looks like most has gone, which is good 

Can you see if you can start Malwarebytes again? If it doesn't start, uninstall and get a fresh one from here:

http://www.geekstogo.com/forum/files/download/334-mbam-malwarebytes-anti-malware

During installation, make sure *uncheck* *Enable free trial of Malwarebytes Anti-Malware Premium*, then click *Finish*. You can always upgrade later 

If that works, update it and run a scan.

Also, how is your fan, as you mentioned at the beginning it was running a lot more than normal?

eddie


----------



## referee07 (Sep 11, 2003)

eddie, thanks for the reply and for all of the help that you have given me. I am currently on a business trip and will return home on Sunday. I took my laptop (the one with the possible malware problem) with me and as soon as I got here and booted-up the computer, I was confronted with a grey/white screen. After Goggling the problem, I tried re-seating the RAM cards which did not help. I also, tried taking the computer's battery out, unplugging the computer and then holding the Power Button down, plugging the computer back in and starting it up, and still saw the grey/white screen. After I return home, I plan on taking the computer to a computer ship to see if a cable has come loose, the motherboard is bad or some other reason for the problem. (I do remember that when I was at home using the computer, I wasn't using the computer's screen but, instead, was using a regular monitor and when I started I got the same grey/white screen but only for a second before a picture appeared on the stand-alone monitor. Anyway, I will have the computer checked out after I return home and once it is up-and-running, I will try to run Malwarebytes again. And once again, thanks for all of the help.


----------



## eddie5659 (Mar 19, 2001)

Sunday is fine, I'll look for the email around that time, so don't worry about that part.

As for the laptop, sometimes it can be hardware. My mums laptop had a few issues, one being the backlight for the screen dying. This is the part that actually makes the screen bright, as we were looking at it and it was black (but you could just make out the login screen). After I repaired that, her keryboard, mouse and power button had issues (she stepped on it by mistake) so I had to replace all them as well.

Its working now, but what a way to get it to work 

So, in your case, it may be a graphics card fault, as you saw a small bit of it when you used an external monitor.


----------



## referee07 (Sep 11, 2003)

eddie, thanks again for the reply. I tried running Malwarebytes, but was unable to launch the program and then uninstalled the program and downloaded the program from the link that you provided. When I tried to install the program I got an "Internal Error: Expression Error 'Runtime Error (at 79:177): External Exception E06D7363.'


----------



## eddie5659 (Mar 19, 2001)

Hi, back now, so let me have a look at that error and see what we can do 

Will reply definatly tonight, just made a nice cuppa so will do it now


----------



## eddie5659 (Mar 19, 2001)

Okay, I know you're having this issue when installing, so make sure its definatly uninstalled then close all windows, and run this tool:

http://downloads.malwarebytes.org/file/mbam_clean

Doubleclick to run the tool, and it will run quickly. It will ask to restart your computer, please allow it to do so very important.

Next Download & SAVE the latest version of Malwarebytes' Anti-Malware from

http://downloads.malwarebytes.org/file/mbam

(I know you already have, but just delete the previous one you tried, and get this fresh one, just to be safe)

Right-click on mbam-setup.exe and select *Run as Administrator* and allow to run.

Then after the setup has finished, on the Dashboard screen, press the *Update now* link.

Let me know if the update succeeds.

eddie


----------



## referee07 (Sep 11, 2003)

eddie, thanks for the reply. I just replied to your posting regarding the problem with my other computer indicating that it's relatively late now and I will try your suggestions tomorrow night. I will also try your suggestions in this posting tomorrow night also. Thanks again for your continuing help and suggestions, and it's good that you are back.


----------



## referee07 (Sep 11, 2003)

eddie5659, I was able to download, install, update and run Malwarebytes with no problems tonight. I am hoping that this success will continue and intend to try to run Malwarebytes again tomorrow. Do you know what the problem(s) might have been. Thank you again for all of your patience, hard work and diligence.


----------



## eddie5659 (Mar 19, 2001)

Just replied to other thread 

That's good (so far) with MBAM. It may have been a corrupt file, as this can happen with many programs, and just a simple reinstall normally works. However, running an actual cleanup tool reaches deeper in, and clears all entries out, so it was like it was never on.


----------



## referee07 (Sep 11, 2003)

eddie5659, I have run MBAM several times and (knock-on-wood) the program has run flawlessly each time. :~) Thank you very much for your patience, your expertise and your help. Take care, and I wish you the best.


----------



## eddie5659 (Mar 19, 2001)

Excellent news!!!

We'll remove the tools we've used on this computer, and I'll post my closing speech, then its good to go 

-------------------

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

*ComboFix /Uninstall *

This will delete ComboFix's related folders/files, reset the clock settings, hide file extensions/system files, clear the System Restore cache to prevent possible reinfection and create a new Restore point.
When it has finished you will see a dialog box stating that "ComboFix has been uninstalled".
After that, you can delete the ComboFix.exe program from your computer (Desktop).

Then, run this:

We need to remove the tools we've used during cleaning your machine


Download Delfix from here
Ensure *Remove disinfection tools* is ticked
*Also tick:
*
Create registry backup
Purge system restore










Click *Run*
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

-----------------

*Clear Cache/Temp Files*
Download *TFC by OldTimer* to your desktop

 Please double-click *TFC.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
It *will close all programs* when run, so make sure you have *saved all your work* before you begin.
Click the *Start* button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. *Let it run uninterrupted to completion*. 
Once it's finished it should *reboot your machine*. If it does not, please *manually reboot the machine* yourself to ensure a complete clean.

*Create Restore Point (Win7/Vista)*


Select *Start* > *Control Panel* then double-click on the *System* icon in the Control Panel.
In the left-hand pane click on the *System Protection* option.
When the Dialog comes up, click on the System Protection tab.
Check that the drive letter where Windows is located (usually C indicates System protection *ON*.
(This indicates System restore is turned ON for the Windows drive).
Click on the *Create* button to create a new restore point. In the Name dialog, type a descriptive name and then click on the *Create* button.
You will get a message that the Restore Point was created successfully. Click on the *Close* button.
Click on the *OK* button and close the System window in the Control Panel.

*Making Internet Explorer More Secure*

Go to Control Panel and open the *Internet Options*. Click on the *Advanced tab* and do the following:

 Tick Empty Temporary Internet Files When Browser is Closed under Security. Apply

Then, click on the *Security tab* and do the following:

 Make sure the Internet icon is selected.
 Click once on the *Custom Level* button.
 Change the *Download signed ActiveX controls* to *Prompt*.
 Change the *Download unsigned ActiveX controls* to *Disable*.
 Change the *Initialise and script ActiveX controls not marked as safe* to *Disable.*
 Change the *Installation of desktop items* to *Prompt.*
 Change the *Launching programs and files in an IFRAME* to *Prompt.*
 When all these settings have been made, click on the *OK* button.
 If it prompts you as to whether or not you want to save the settings, press the *Yes* button. 
 Next press the *Apply* button and then the *OK* to exit the Internet Properties page.

*Other Software Updates*
It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for *Java* and *Adobe* as these are subject to many security vulnerabilities.

Also, its a good idea to keep on top of removing any Temp files etc every month or so. To do this, Windows has a pretty good tool.

Go to Start | Programs | Accessories | System Tools | Disk Cleanup
It should start straight away, but if you have to select a drive, click on the C-drive.
Let it run, and at the end it will give you some boxes to tick. 
All are okay to enable, then press *OK* and then *Yes* to the question after.
It will close after its completed.


*CryptoPrevent* install this programme to lock down and prevent crypto ransome ware (download link at bottom of page)










To keep your operating system up to date:

*All security updates released by Microsoft must be* *Automatically Installed.*

Click *Start* and in the search box type *windows update* and press *ENTER. *
Click *Change Settings* and make sure the *Install updates automatically (recommended)* option is selected, if not select it and click *O.K* to save settings.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
*SpywareBlaster* to help prevent spyware from installing in the first place/

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this about Security online: *General Security Information, How to tighten Security Settings and Warnings *

Have a safe and happy computing day!

eddie


----------



## referee07 (Sep 11, 2003)

eddie5650, when I cut-and-paste "ComboFix /Uninstall" in the Search box I get "No Items Match Your Search." I have Windows 7 installed on my computer does this make a difference? Also, the "ComboFix /Uninstall" did not look like it was in bold print.


----------



## eddie5659 (Mar 19, 2001)

Looking at the details for DelFix, it removes Combofix, so just run that for now 

Not sure why it didn't work though


----------



## referee07 (Sep 11, 2003)

eddie5659, below is the report from running DelFix:

# DelFix v10.8 - Logfile created 01/09/2014 at 09:23:03
# Updated 29/07/2014 by Xplode
# Username : Carl - DELLNOTEBOOK
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\_OTL
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\AdwCleaner[R1].txt
Deleted : C:\AdwCleaner[R2].txt
Deleted : C:\AdwCleaner[S1].txt
Deleted : C:\AdwCleaner[S2].txt
Deleted : C:\AdwCleaner[S3].txt
Deleted : C:\ComboFix.txt
Deleted : C:\log.txt
Deleted : C:\TDSSKiller.3.0.0.40_13.07.2014_23.10.55_log.txt
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #831 [Windows Update | 08/28/2014 14:46:14]
Deleted : RP #832 [Nitro Pro 9 | 08/31/2014 02:16:03]
Deleted : RP #833 [IObit Uninstaller restore point | 08/31/2014 02:42:38]
Deleted : RP #834 [Nitro Pro 9 | 08/31/2014 02:43:49]

New restore point created !

########## - EOF - ##########
______________________________________________________________________________________________

I ran TFC and all went well except for the fact that when the program finished, the "Libraries" (Documents, Movies, Pictures and Videos) opened. I manually re-booted the computer and all appeared to be OK.
_______________________________________________________________________________________________


----------



## referee07 (Sep 11, 2003)

eddie5659, I was able to successfully create a Restore Point.
_______________________________________________________________________________________________

I was able to complete all of the suggestions under "Making Internet Explorer More Secure" except that I couldn't find the "Change the Installation of desktop items to Prompt."
_______________________________________________________________________________________________


----------



## eddie5659 (Mar 19, 2001)

Remove the following from the Desktop, if still there after doing the DelFix

*GMER
Security Check
jre-7u60-windows-i586.exe
OTL
AdwCleaner
Combofix 
RogueKiller
TDSSKiller
aswMBR 
SystemLook
shexview
*



> I ran TFC and all went well except for the fact that when the program finished, the "Libraries" (Documents, Movies, Pictures and Videos) opened. I manually re-booted the computer and all appeared to be OK.


That's normally to see. It always opens on mine as well, I just close it after 



> I was able to complete all of the suggestions under "Making Internet Explorer More Secure" except that I couldn't find the "Change the Installation of desktop items to Prompt."


I don't have the latest IE on this computer (use Firefox) but it may have been removed in the newer versions. I know when I look at my Vista laptop, and looking at work, they have different options, as work is newer.

Apart from that, is everyone going okay with it so far?

eddie


----------



## referee07 (Sep 11, 2003)

eddie5659, I ran DelFix again, and here is the result:

# DelFix v10.8 - Logfile created 05/09/2014 at 21:01:16
# Updated 29/07/2014 by Xplode
# Username : Carl - DELLNOTEBOOK
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\_OTL
Deleted : C:\Users\Carl\Desktop\TFC.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #835 [End of disinfection | 09/01/2014 00:24:49]
Deleted : RP #836 [Following Removal of Tool From TSG.com | 09/01/2014 00:47:32]
Deleted : RP #837 [Windows Update | 09/02/2014 10:59:39]

New restore point created !

########## - EOF - ##########
_______________________________________________________________________________________________

I bought CryptoPrevent Premium last week but have never received the e-mail with the download and activation key. I have also never received the receipt e-mail. I have used he "Contact" link on the site to send four (4) messages during the course of the week to the developer of the program initially telling him that I had not received the e-mails and then telling him to refund my $15, but I have not received a reply to my messages. (My bank account has been debited the $15.) If it had not been for your recommendation, I would consider CryptePrevent a complete scam. I think that I need a program on my computers to prevent CryptoLocker from hijacking my computers but after dealing with the developer of CryptoPrevent, I don't think that this is the program for me.
______________________________________________________________________________________________

I have been using Spyware Blaster for quite awhile and think that it is a good program.
______________________________________________________________________________________________

Apart from the issue with CryptoPrevent, everything seems to be working well on this computer. Malwarebytes seems to be working very well.


----------



## eddie5659 (Mar 19, 2001)

> I bought CryptoPrevent Premium last week but have never received the e-mail with the download and activation key. I have also never received the receipt e-mail. I have used he "Contact" link on the site to send four (4) messages during the course of the week to the developer of the program initially telling him that I had not received the e-mails and then telling him to refund my $15, but I have not received a reply to my messages. (My bank account has been debited the $15.) If it had not been for your recommendation, I would consider CryptePrevent a complete scam. I think that I need a program on my computers to prevent CryptoLocker from hijacking my computers but after dealing with the developer of CryptoPrevent, I don't think that this is the program for me.


I have the free version, but I can try and contact the developer for you. I may need an email address, but just hold off on that until I reply.

We won't mark this solved until this part is done.

On a side note, delete Delfix now, and just get TFC again. I use it monthly to clear out my temps etc 

Back very quick, off to ciontact (or find someone who can) the developer


----------



## referee07 (Sep 11, 2003)

eddie 5659, thanks for your reply. Regarding the CryptoPrevent Premium program, I have asked my bank to redeposit the $15 that I paid for the program back into my account. The bank asked me if I have tried to resolve the problem by contacting the seller, and I replied that I have sent at least four (4) messages to the seller via his website and have not received replies to any of my messages. I do thank you for your time and effort to contact the developer. Also, because of your tireless work in helping me solve the problems with both of my computers, very soon I will be donating $100 to techguy.org. Thanks again for all of your help.


----------



## eddie5659 (Mar 19, 2001)

Well, I had a go at contacting, but no joy for me either. However, I have updated my speech and a piccy so others don't go for Premium.

Glad to hear its all working okay (apart from that setback) and thank you for the donation. 

If in the future you have any other problems, and post a thread but don't get any replies, drop me a message and I'll look at it. Even if its non-malware, like Windows/Email etc :up:

eddie


----------

