Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Atomic Ads [Solved]

Started by bhzendner , Aug 12 2014 08:38 PM

Malware Ad ware

This topic is locked

#1
bhzendner

Posted 12 August 2014 - 08:38 PM

Member

Member
226 posts

I have atomic ads and try as I may I can not get rid of it.

Please help.

#2
Biscuithd

Posted 13 August 2014 - 06:55 AM

Trusted Helper

Malware Removal
2,573 posts

Sorry to hear that you're having trouble. Run the following scan and I'll have a look at the resulting scans and see what's going on.

Scan with OTL

Please download OTL by OldTimer and save the file to your desktop.

Right-click on icon and select Run as Administrator to start the tool.
Make sure that Scan All Users, LOP check and Purity check are ticked.
For 64-bit systems only - make sure that Include 64-bit option is also ticked.
Sections Processes, Modules, Services, Drivers, Standard Registry are set to Use Safelist.
Section Extra Registry is also set to Use Safelist.
Under the Custom Scans/Fixes bar in the box paste in the following:
```
BASESERVICES

/md5start

rpcss.dll

/md5stop
```
Push Run Scan and wait patiently.
Two notepad windows will be opened after this run: OTL.txt (maximized) and Extras.txt (minimized).

Please include the content of both logfiles in your next reply.

#3
bhzendner

Posted 13 August 2014 - 09:58 PM

Member

Topic Starter
Member
226 posts

OTL logfile created on: 8/13/2014 8:49:20 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\MrZ\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17207)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.50 Gb Total Physical Memory | 4.47 Gb Available Physical Memory | 59.58% Memory free
15.00 Gb Paging File | 11.56 Gb Available in Paging File | 77.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 223.22 Gb Total Space | 60.11 Gb Free Space | 26.93% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 870.81 Gb Free Space | 93.48% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 29.86 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
Drive F: | 27.84 Gb Total Space | 27.30 Gb Free Space | 98.05% Space Free | Partition Type: FAT32
Drive J: | 100.97 Mb Total Space | 70.54 Mb Free Space | 69.86% Space Free | Partition Type: NTFS
Drive P: | 1862.92 Gb Total Space | 569.71 Gb Free Space | 30.58% Space Free | Partition Type: NTFS
Drive Z: | 100.00 Gb Total Space | 60.11 Gb Free Space | 60.11% Space Free | Partition Type: MFilesFS

Computer Name: WIN7SSD | User Name: MrZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2014/08/13 20:47:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\MrZ\Desktop\OTL.exe
PRC - [2014/08/06 02:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
PRC - [2014/08/03 15:41:45 | 003,428,672 | ---- | M] (LogMeIn, Inc.) -- C:\Users\MrZ\AppData\Local\LogMeIn Client\LogMeIn Client.exe
PRC - [2014/08/03 15:41:45 | 000,375,128 | ---- | M] (LogMeIn, Inc.) -- C:\Users\MrZ\AppData\Local\LogMeIn Client\LMIGuardian.exe
PRC - [2014/08/02 12:32:19 | 000,251,040 | ---- | M] (Microsoft Corporation) -- C:\Users\MrZ\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
PRC - [2014/05/12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
PRC - [2014/05/12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
PRC - [2014/05/12 07:24:34 | 006,970,168 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
PRC - [2014/03/28 04:28:37 | 000,067,904 | ---- | M] (MediaMall Technologies, Inc.) -- C:\Program Files (x86)\MediaMall\PlayOn.exe
PRC - [2014/03/28 04:27:56 | 005,454,640 | ---- | M] (MediaMall Technologies, Inc.) -- C:\Program Files (x86)\MediaMall\MediaMallServer.exe
PRC - [2014/01/26 16:31:49 | 000,186,760 | ---- | M] () -- C:\Program Files (x86)\Photodex\ProShow Gold\scsiaccess.exe
PRC - [2013/11/20 16:43:26 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
PRC - [2013/11/20 16:43:14 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
PRC - [2013/11/14 04:29:33 | 000,863,184 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
PRC - [2013/09/14 04:27:52 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
PRC - [2013/02/16 22:50:26 | 002,529,120 | ---- | M] (M-Files Corporation) -- C:\Program Files\M-Files\9.0.3372.41\Bin\x86\MFServerAux.exe
PRC - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/22 00:11:26 | 003,961,464 | ---- | M] (Eye-Fi, Inc.) -- C:\Program Files (x86)\Eye-Fi\Helper\EyeFiHelper.exe
PRC - [2010/11/17 09:53:16 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

========== Modules (No Company Name) ==========

MOD - [2014/08/03 15:41:45 | 004,565,336 | ---- | M] () -- C:\Users\MrZ\AppData\Local\LogMeIn Client\RACtrl.dll
MOD - [2014/08/03 15:41:45 | 000,009,584 | ---- | M] () -- C:\Users\MrZ\AppData\Local\LogMeIn Client\ractrlkeyhook.dll
MOD - [2014/06/10 13:19:06 | 008,892,072 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
MOD - [2014/02/26 22:25:50 | 012,894,208 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f4f6ee0df2aa4189bf36e6335cb92761\System.Windows.Forms.ni.dll
MOD - [2014/02/26 22:25:46 | 006,990,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\dce99d8de14d8a015313db98c72552ee\System.Core.ni.dll
MOD - [2014/02/26 22:25:44 | 001,644,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\5cd2aee5e7c07227c694d89219688ab3\System.Drawing.ni.dll
MOD - [2014/02/26 22:25:42 | 010,060,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ff26cc03e6d57d8abd13b990332e67c6\System.ni.dll
MOD - [2014/02/26 22:25:39 | 000,198,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\92e9bacef49552a4485fbb7523782133\CustomMarshalers.ni.dll
MOD - [2014/02/26 22:25:38 | 016,953,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\ce5f61c5754789df97be8dc991c47d07\mscorlib.ni.dll
MOD - [2014/02/12 06:19:27 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b34b348a9935338b1282fd0c9309eb1f\System.ServiceProcess.ni.dll
MOD - [2014/02/12 06:18:59 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\8bc548587e91ecf0552a40e47bbf99cc\System.Windows.Forms.ni.dll
MOD - [2014/02/12 06:18:54 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5c24d3b0041ebf4f48a93615b9fa3de9\System.Drawing.ni.dll
MOD - [2014/02/12 06:18:38 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b3a78269847005365001c33870cd121f\System.ni.dll
MOD - [2014/02/12 06:18:35 | 011,499,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ede2c6c842840e009f01bcc74fa4c457\mscorlib.ni.dll
MOD - [2014/01/23 15:55:44 | 001,030,312 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office15\ADDINS\UmOutlookAddin.dll
MOD - [2013/11/14 04:29:31 | 000,399,312 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ppgooglenaclpluginchrome.dll
MOD - [2013/11/14 04:29:29 | 004,055,504 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\pdf.dll
MOD - [2013/11/14 04:28:37 | 000,702,416 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\libglesv2.dll
MOD - [2013/11/14 04:28:36 | 000,099,792 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\libegl.dll
MOD - [2013/11/14 04:28:34 | 001,619,408 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ffmpegsumo.dll
MOD - [2013/09/14 02:51:02 | 000,087,952 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Internet Services\zlib1.dll
MOD - [2013/09/14 02:50:36 | 001,242,952 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Internet Services\libxml2.dll
MOD - [2011/12/21 23:59:12 | 000,133,120 | ---- | M] () -- C:\Program Files (x86)\Eye-Fi\Helper\libexif.dll
MOD - [2011/12/21 23:56:16 | 000,209,408 | ---- | M] () -- C:\Program Files (x86)\Eye-Fi\Helper\libopenraw.dll

========== Services (SafeList) ==========

SRV:64bit: - [2014/07/17 19:21:28 | 000,127,752 | ---- | M] (SurfRight B.V.) [Auto | Running] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV:64bit: - [2014/06/18 17:24:12 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2013/05/26 22:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2013/02/16 22:50:48 | 007,759,712 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe -- (MFClient 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:44 | 003,459,424 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfdataexport.exe -- (MFDataExport 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:40 | 002,759,008 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfindexingmanager.exe -- (MFIndexingManager 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:38 | 031,902,560 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfserver.exe -- (MFServer 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:26 | 002,529,120 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x86\mfserveraux.exe -- (MFServerAux 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:08 | 002,914,656 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfsetup.exe -- (MFSetup 9.0.3372.41)
SRV:64bit: - [2013/01/12 12:26:30 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2012/03/11 21:13:24 | 002,815,496 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:64bit: - [2011/04/20 02:04:20 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/12/21 10:44:06 | 000,535,552 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Windows\SysNative\HFGService.dll -- (HFGService)
SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/05/07 16:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\Windows\SysNative\Crypserv.exe -- (Crypkey License)
SRV - [2014/08/06 02:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe -- (TeamViewer9)
SRV - [2014/07/19 09:09:28 | 000,226,640 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\ramaint.exe -- (LMIMaint)
SRV - [2014/07/19 09:09:25 | 000,376,144 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2014/05/12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2014/05/12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2014/03/28 04:27:56 | 005,454,640 | ---- | M] (MediaMall Technologies, Inc.) [Auto | Running] -- C:\Program Files (x86)\MediaMall\MediaMallServer.exe -- (MediaMall Server)
SRV - [2014/01/26 16:31:49 | 000,186,760 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Photodex\ProShow Gold\scsiaccess.exe -- (ScsiAccess)
SRV - [2013/09/11 22:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/11/29 12:56:50 | 000,407,424 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe -- (LogMeIn)
SRV - [2010/11/20 20:24:51 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/20 20:24:51 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/20 20:24:51 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2014/08/13 20:48:41 | 000,122,584 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys -- (MBAMSwissArmy)
DRV:64bit: - [2014/07/19 09:09:26 | 000,107,368 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2014/05/16 14:03:30 | 000,141,600 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV:64bit: - [2014/05/12 07:26:10 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:64bit: - [2014/05/12 07:25:56 | 000,025,816 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2014/03/19 15:23:14 | 000,050,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2013/11/26 13:26:34 | 000,025,992 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\uim_devim.sys -- (Uim_DEVIM)
DRV:64bit: - [2013/11/26 13:26:32 | 000,700,680 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\uim_im.sys -- (Uim_IM)
DRV:64bit: - [2013/11/26 13:26:32 | 000,102,664 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\UimBus.sys -- (UimBus)
DRV:64bit: - [2013/11/26 13:26:30 | 000,034,056 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\hotcore3.sys -- (hotcore3)
DRV:64bit: - [2013/10/01 19:22:20 | 000,056,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2013/03/05 20:28:18 | 000,028,528 | ---- | M] (MediaMall Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\povrtdev.sys -- (msvad_simple)
DRV:64bit: - [2013/02/16 22:11:42 | 000,105,280 | ---- | M] (M-Files Corporation) [File_System | On_Demand | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\MFFSD.sys -- (MFFSDCE226221-400E-4813-A98D-44DD7E269D32)
DRV:64bit: - [2013/02/16 22:10:58 | 000,022,336 | ---- | M] (M-Files Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\MFVDD.sys -- (MFVDD97C82C14-5040-40A9-AFC1-442DBE92CBE8)
DRV:64bit: - [2012/12/18 15:05:06 | 000,105,112 | ---- | M] (Miray) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mvd.sys -- (MirayVirtualDisk)
DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/11/29 12:56:50 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2012/11/29 12:56:30 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2012/09/24 18:12:02 | 000,015,808 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AVVideoCardMirror.sys -- (AirDisplayMirror)
DRV:64bit: - [2012/09/24 18:12:02 | 000,015,808 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AVVideoCard.sys -- (AirDisplay)
DRV:64bit: - [2012/08/23 07:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2012/08/23 07:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012/08/23 07:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/03/11 21:13:40 | 000,022,696 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:64bit: - [2012/02/29 23:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/11/03 03:01:00 | 000,056,208 | ---- | M] (Rovi Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2011/07/22 09:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 14:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/20 01:22:34 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/10 14:52:34 | 000,181,760 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2011/02/10 14:52:34 | 000,082,432 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2011/01/15 09:21:04 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2010/12/16 15:58:14 | 000,040,816 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2010/11/20 20:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 20:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 20:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 20:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 06:34:04 | 000,360,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm)
DRV:64bit: - [2010/11/20 06:34:04 | 000,194,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus)
DRV:64bit: - [2010/11/20 04:35:34 | 000,095,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb)
DRV:64bit: - [2010/11/20 04:35:22 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV:64bit: - [2009/12/21 10:43:36 | 000,052,224 | ---- | M] (CSR, plc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BthAudioHF.sys -- (BthAudioHF)
DRV:64bit: - [2009/12/21 10:43:00 | 000,078,848 | ---- | M] (CSR, plc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bthav.sys -- (csr_a2dp)
DRV:64bit: - [2009/08/13 08:38:24 | 000,029,184 | ---- | M] (CSR, plc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BthAvrcp.sys -- (BthAvrcp)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV:64bit: - [2008/04/16 14:49:34 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2008/03/17 10:12:26 | 000,028,664 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\Ckldrv.sys -- (NetworkX)
DRV - [2013/05/31 05:02:09 | 000,016,056 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys -- (LMIInfo)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:3128
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" =

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CE 0D 5F 79 01 8D CF 01 [binary data]
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.67.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.67.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Lync,version=15.0: C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@photodex.com/PhotodexPresenter: C:\Program Files (x86)\Photodex Presenter\npPxPlay.dll ( )
FF - HKLM\Software\MozillaPlugins\@playon.tv/PlayOnToolbar: C:\Program Files (x86)\MediaMall\toolbar\npVT.dll (MediaMall Technologies, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeExManDetect: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll File not found
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Users\MrZ\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF - HKCU\Software\MozillaPlugins\@spoon.net/Spoon Plugin 3.33: C:\Users\MrZ\AppData\Local\Spoon\3.33.6.270\npMozillaSpoonPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3c9761ad-a43d-4447-b924-f5d83cb48063}: C:\Program Files (x86)\Zend\Zend Studio 9.0.1\toolbars\firefox [2012/10/14 11:36:42 | 000,000,000 | ---D | M]

[2013/12/01 11:43:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\extensions
[2012/08/25 17:50:01 | 000,000,000 | ---D | M] (uTorrentControl_v2) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
[2014/08/02 16:01:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions
[2014/06/19 19:26:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\extensions
[2012/09/27 09:59:30 | 000,000,000 | ---D | M] (OneClickDownloader) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\[email protected]
[2013/10/17 12:23:22 | 000,034,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.79\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\pdf.dll
CHR - plugin: Conduit Chrome Plugin (Enabled) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/ConduitChromeApiPlugin.dll
CHR - plugin: Conduit Radio Plugin (Enabled) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/np-cwmp.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2013 (Enabled) = C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL
CHR - plugin: Microsoft Office 2013 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.3.10_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.3.11_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.3.8_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.4.2_0\
CHR - Extension: Google Search = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: iCloud Bookmarks = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkepacicchenbjecpbpbclokcabebhah\1.2.12_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\30.0.1599.86_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\32.0.1700.63_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\32.0.1700.98_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\32.0.1700.99_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\33.0.1750.125_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\33.0.1750.126_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\33.0.1750.126_0\~
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\34.0.1847.90_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\34.0.1847.90_0\~
CHR - Extension: PlayOn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ienaefcpghbmccojmklhdffdobkbencj\1.0_0\
CHR - Extension: PlayOn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ienaefcpghbmccojmklhdffdobkbencj\1.0_1\
CHR - Extension: PlayOn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ienaefcpghbmccojmklhdffdobkbencj\1.0_2\
CHR - Extension: ActiveX for Chrome = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgllffgicojgllpmdbemgglaponefajn\1.5.0.7_0\
CHR - Extension: CSS3Clock = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\njoeghbchhecmmnlkgpoljfpdggoffbi\1.1.5_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1029_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1078_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1080_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1082_0\
CHR - Extension: Google Wallet = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0\
CHR - Extension: Google Wallet = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0\
CHR - Extension: Google Wallet = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: AccessNow by Ericom (RDP client) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\npaobnlmoaflieppdiljaekgeemaplhe\2.1.0.1_0\
CHR - Extension: GreatArcadeHits = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocifcogajbgikalbpphmoedjlcfjkhgh\1.0.7_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\omkjapkpkiciphacnalicgmmcelfolon\1.0.0.1037_0\
CHR - Extension: Gmail = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_0\
CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_1\
CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_2\

O1 HOSTS File: ([2014/05/31 12:49:11 | 000,000,045 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 54.235.90.58 pmicfehfblhebdfbhfgmmfcaikafckac
O2:64bit: - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - No CLSID value found.
O2:64bit: - BHO: (no name) - {56bc31de-97ab-4563-8599-ad5d4e9800f9} - No CLSID value found.
O2:64bit: - BHO: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Zend Studio) - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files (x86)\Zend\Zend Studio 9.0.1\toolbars\ZendIEToolbar.dll (Zend Technologies Ltd)
O3 - HKLM\..\Toolbar: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O3 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)
O4:64bit: - HKLM..\Run: [M-Files Status 9.0.3372.41] C:\Program Files\M-Files\9.0.3372.41\Bin\x64\MFStatus.exe (M-Files Corporation)
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
O4 - HKU\.DEFAULT..\Run: [RemotePotatoIRHelper] C:\Program Files (x86)\FatAttitude\Remote Potato\RPKeySender.exe File not found
O4 - HKU\S-1-5-18..\Run: [RemotePotatoIRHelper] C:\Program Files (x86)\FatAttitude\Remote Potato\RPKeySender.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [AdobeBridge] File not found
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [Eye-Fi] C:\Program Files (x86)\Eye-Fi\Helper\EyeFiHelper.exe (Eye-Fi, Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [PlayOn] C:\Program Files (x86)\MediaMall\PlayOn.exe (MediaMall Technologies, Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [SkyDrive] C:\Users\MrZ\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_125_ActiveX.exe -update activex File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O9:64bit: - Extra Button: PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O9:64bit: - Extra 'Tools' menuitem : PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O9 - Extra Button: PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O9 - Extra 'Tools' menuitem : PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} https://secure.logme...scueControl.cab (LogMeIn Rescue Technician Console)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.6.2.cab (DLM Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://control.itsu...nts/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://docstar.webe...br/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...rl.cab?lmi=1058 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{47A47527-624A-430E-829B-1177324A0A7A}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\osf - No CLSID value found
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/07/16 15:33:00 | 000,000,032 | -H-- | M] () - D:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/08/13 20:47:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\MrZ\Desktop\OTL.exe
[2014/08/12 19:33:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2014/08/12 19:33:14 | 000,272,808 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/08/12 19:33:06 | 000,098,216 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/08/12 19:33:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/08/12 19:33:05 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/08/12 19:33:05 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/08/10 18:17:25 | 000,000,000 | ---D | C] -- C:\Users\MrZ\AppData\Roaming\30765
[2014/08/09 18:53:39 | 000,000,000 | ---D | C] -- C:\Users\MrZ\AppData\Roaming\TeamViewer
[2014/08/09 18:53:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TeamViewer
[2014/08/02 16:01:45 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/08/02 16:00:31 | 001,016,261 | ---- | C] (Thisisu) -- C:\Users\MrZ\Desktop\JRT.exe
[2014/08/02 15:54:16 | 001,942,776 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\MrZ\Desktop\rkill.exe
[2014/07/21 18:19:19 | 000,000,000 | ---D | C] -- C:\Users\MrZ\AppData\Local\Adobe
[2014/07/20 16:14:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec

========== Files - Modified Within 30 Days ==========

[2014/08/13 20:50:58 | 001,474,832 | ---- | M] () -- C:\Windows\SysNative\drivers\sfi.dat
[2014/08/13 20:48:41 | 000,122,584 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/08/13 20:48:22 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/08/13 20:48:22 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/08/13 20:47:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\MrZ\Desktop\OTL.exe
[2014/08/13 20:46:48 | 000,823,190 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/08/13 20:46:48 | 000,695,254 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/08/13 20:46:48 | 000,131,356 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/08/13 20:41:27 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/08/13 20:41:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/08/13 20:41:01 | 1744,183,295 | -HS- | M] () -- C:\hiberfil.sys
[2014/08/13 05:11:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/08/12 20:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\tasks\At1.job
[2014/08/12 19:33:02 | 000,098,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/08/12 19:33:01 | 000,272,808 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/08/12 19:33:01 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/08/12 19:33:01 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/08/12 19:26:32 | 005,074,160 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014/08/10 12:26:00 | 000,000,426 | ---- | M] () -- C:\Windows\tasks\SlimCleaner Plus (Scheduled Scan - MrZ).job
[2014/08/09 18:53:37 | 000,001,171 | ---- | M] () -- C:\Users\Public\Desktop\TeamViewer 9.lnk
[2014/08/02 18:11:03 | 000,838,450 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/08/02 16:00:40 | 001,016,261 | ---- | M] (Thisisu) -- C:\Users\MrZ\Desktop\JRT.exe
[2014/08/02 15:58:22 | 001,361,309 | ---- | M] () -- C:\Users\MrZ\Desktop\adwcleaner_3.302.exe
[2014/08/02 15:54:24 | 001,942,776 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\MrZ\Desktop\rkill.exe
[2014/07/19 09:09:26 | 000,107,368 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIRfsClientNP.dll
[2014/07/19 09:09:26 | 000,092,488 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIinit.dll
[2014/07/19 09:09:26 | 000,035,656 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIport.dll

========== Files Created - No Company Name ==========

[2014/08/09 18:53:37 | 000,001,183 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
[2014/08/09 18:53:37 | 000,001,171 | ---- | C] () -- C:\Users\Public\Desktop\TeamViewer 9.lnk
[2014/08/02 15:58:18 | 001,361,309 | ---- | C] () -- C:\Users\MrZ\Desktop\adwcleaner_3.302.exe
[2014/05/03 08:14:56 | 000,000,856 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/01/19 16:28:28 | 000,004,608 | ---- | C] () -- C:\Users\MrZ\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2014/01/17 23:20:21 | 000,000,004 | ---- | C] () -- C:\Windows\vx86036.dat
[2014/01/17 23:19:49 | 000,000,074 | ---- | C] () -- C:\Windows\Crypkey.ini
[2014/01/17 23:19:47 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2014/01/17 23:19:47 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2014/01/17 23:19:47 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2013/12/06 20:47:03 | 000,000,282 | ---- | C] () -- C:\Windows\ODBC.INI
[2013/10/10 14:35:10 | 000,009,584 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll
[2012/11/19 22:37:12 | 000,000,600 | ---- | C] () -- C:\Users\MrZ\PUTTY.RND
[2012/10/14 11:41:43 | 000,000,005 | -H-- | C] () -- C:\Users\MrZ\.zs
[2012/09/27 20:14:29 | 000,012,354 | ---- | C] () -- C:\Users\MrZ\barcodei4.php
[2012/09/27 20:06:51 | 000,012,354 | ---- | C] () -- C:\Users\MrZ\barcodei3.php
[2012/09/23 21:08:37 | 000,007,618 | ---- | C] () -- C:\Users\MrZ\AppData\Local\Resmon.ResmonCfg
[2012/09/16 12:49:56 | 000,002,558 | ---- | C] () -- C:\Users\MrZ\index2.php
[2012/09/15 16:39:15 | 000,002,493 | ---- | C] () -- C:\Users\MrZ\iisstart.php
[2012/08/30 20:26:35 | 000,000,100 | ---- | C] () -- C:\Windows\1FB169BC-703B-4282-BD96-2CCF743D3814.ini

========== ZeroAccess Check ==========

[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/03/24 19:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/03/24 19:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\eclipse
[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\ISIS Drivers
[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\eclipse
[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\ISIS Drivers
[2014/08/10 18:17:25 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\30765
[2013/11/25 20:18:33 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\5779
[2012/09/23 20:58:07 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Canneverbe Limited
[2013/11/30 11:41:11 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Dropbox
[2014/02/14 20:42:42 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\DVDFab9
[2014/06/06 23:38:47 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\eclipse
[2014/02/09 00:56:35 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Eye-Fi
[2012/09/10 18:52:26 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Imagenomic
[2014/01/11 18:54:18 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\ISIS Drivers
[2012/09/03 21:16:26 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\JAM Software
[2013/11/03 17:50:27 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Netscape
[2012/09/09 20:45:12 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Notepad++
[2013/06/19 20:18:16 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Oracle
[2013/11/03 17:49:52 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Photodex
[2013/11/28 15:07:27 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\redsn0w
[2013/07/31 19:57:58 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Serif
[2014/08/10 11:05:07 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\TeamViewer
[2014/01/19 15:46:53 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\TechSmith
[2012/11/19 21:34:57 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\TightVNC
[2014/02/09 00:56:55 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Titanium
[2014/03/26 08:44:39 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\uTorrent
[2012/08/24 20:29:58 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\White Peak Software
[2014/06/19 19:56:04 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\XBMC

========== Purity Check ==========

========== Custom Scans ==========

========== Base Services ==========
SRV:64bit: - [2009/07/13 18:40:01 | 000,072,192 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\aelupsvc.dll -- (AeLookupSvc)
SRV:64bit: - [2013/02/26 22:47:10 | 000,070,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appinfo.dll -- (Appinfo)
SRV:64bit: - [2009/07/13 18:38:55 | 000,079,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\alg.exe -- (ALG)
SRV:64bit: - [2010/11/20 20:23:51 | 000,849,920 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\qmgr.dll -- (BITS)
SRV:64bit: - [2010/11/20 20:24:00 | 000,705,024 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\BFE.DLL -- (BFE)
SRV:64bit: - [2014/04/11 19:19:05 | 000,031,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\lsass.exe -- (KeyIso)
SRV:64bit: - [2009/07/13 18:40:50 | 000,402,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\es.dll -- (EventSystem)
SRV - [2009/07/13 18:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\es.dll -- (EventSystem)
SRV:64bit: - [2012/07/04 15:13:27 | 000,136,704 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\browser.dll -- (Browser)
SRV:64bit: - [2013/07/08 22:46:20 | 000,184,320 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cryptsvc.dll -- (CryptSvc)
SRV - [2013/07/08 21:46:31 | 000,140,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\cryptsvc.dll -- (CryptSvc)
SRV:64bit: - [2010/11/20 20:24:01 | 000,512,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\rpcss.dll -- (DcomLaunch)
SRV:64bit: - [2010/11/20 20:24:00 | 000,317,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp)
SRV - [2010/11/20 20:24:09 | 000,254,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\dhcpcore.dll -- (Dhcp)
SRV:64bit: - [2011/03/02 23:24:16 | 000,183,296 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dnsrslvr.dll -- (Dnscache)
SRV:64bit: - [2009/07/13 18:40:35 | 000,111,104 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\eapsvc.dll -- (EapHost)
SRV:64bit: - [2009/07/13 18:41:00 | 000,038,912 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\hidserv.dll -- (hidserv)
SRV - [2009/07/13 18:15:24 | 000,049,152 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\hidserv.dll -- (hidserv)
SRV:64bit: - [2009/07/13 18:41:10 | 000,359,424 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\ipnathlp.dll -- (SharedAccess)
SRV:64bit: - [2010/11/20 20:23:48 | 000,501,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\IPSECSVC.DLL -- (PolicyAgent)
No service found with a name of MsMpSvc
No service found with a name of NisSrv
SRV:64bit: - [2009/07/13 18:41:54 | 000,524,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\swprv.dll -- (swprv)
SRV:64bit: - [2009/07/13 18:41:26 | 000,067,584 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\SysNative\mmcss.dll -- (MMCSS)
SRV:64bit: - [2009/07/13 18:41:52 | 000,360,448 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\netman.dll -- (Netman)
SRV:64bit: - [2009/07/13 18:41:52 | 000,459,776 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\netprofm.dll -- (netprofm)
SRV - [2009/07/13 18:16:03 | 000,360,448 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\netprofm.dll -- (netprofm)
SRV:64bit: - [2012/10/03 10:44:21 | 000,303,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\nlasvc.dll -- (NlaSvc)
SRV:64bit: - [2009/07/13 18:41:53 | 000,025,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\nsisvc.dll -- (nsi)
SRV:64bit: - [2011/05/24 04:42:55 | 000,404,480 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\umpnpmgr.dll -- (PlugPlay)
SRV:64bit: - [2012/02/10 23:36:02 | 000,559,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\spoolsv.exe -- (Spooler)
SRV:64bit: - [2014/04/11 19:19:05 | 000,031,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\lsass.exe -- (ProtectedStorage)
No service found with a name of EMDMgmt
SRV:64bit: - [2009/07/13 18:41:53 | 000,099,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rasauto.dll -- (RasAuto)
SRV:64bit: - [2010/11/20 20:24:17 | 000,344,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rasmans.dll -- (RasMan)
SRV:64bit: - [2010/11/20 20:24:01 | 000,512,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\rpcss.dll -- (RpcSs)
SRV:64bit: - [2010/11/20 20:24:16 | 000,030,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\seclogon.dll -- (seclogon)
SRV:64bit: - [2014/04/11 19:19:05 | 000,031,232 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\lsass.exe -- (SamSs)
SRV:64bit: - [2009/07/13 18:41:58 | 000,097,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wscsvc.dll -- (wscsvc)
SRV:64bit: - [2010/11/20 20:23:48 | 000,236,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\srvsvc.dll -- (LanmanServer)
SRV:64bit: - [2010/11/20 20:23:55 | 000,370,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\shsvcs.dll -- (ShellHWDetection)
SRV - [2010/11/20 20:24:03 | 000,328,192 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\shsvcs.dll -- (ShellHWDetection)
No service found with a name of slsvc
SRV:64bit: - [2010/11/20 20:24:16 | 001,110,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\schedsvc.dll -- (Schedule)
SRV:64bit: - [2010/11/20 20:24:32 | 000,316,928 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\tapisrv.dll -- (TapiSrv)
SRV - [2010/11/20 20:24:00 | 000,242,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\tapisrv.dll -- (TapiSrv)
SRV:64bit: - [2009/07/13 18:41:55 | 000,044,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\themeservice.dll -- (Themes)
SRV:64bit: - [2012/04/30 22:40:20 | 000,209,920 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\profsvc.dll -- (ProfSvc)
SRV:64bit: - [2010/11/20 20:23:55 | 001,600,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\VSSVC.exe -- (VSS)
SRV:64bit: - [2010/11/20 20:24:32 | 000,679,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\audiosrv.dll -- (AudioSrv)
SRV:64bit: - [2010/11/20 20:24:32 | 000,679,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\audiosrv.dll -- (AudioEndpointBuilder)
SRV:64bit: - [2010/11/20 20:25:06 | 000,170,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\sdrsvc.dll -- (SDRSVC)
SRV:64bit: - [2013/05/26 22:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2010/11/20 20:23:55 | 001,646,080 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wevtsvc.dll -- (eventlog)
SRV:64bit: - [2010/11/20 20:24:28 | 000,828,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\MPSSVC.dll -- (MpsSvc)
SRV:64bit: - [2010/11/20 20:24:48 | 000,580,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wiaservc.dll -- (stisvc)
SRV:64bit: - [2010/11/20 20:24:15 | 000,128,000 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\msiexec.exe -- (msiserver)
SRV - [2010/11/20 20:24:28 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWow64\msiexec.exe -- (msiserver)
SRV:64bit: - [2009/07/13 18:41:56 | 000,242,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wbem\WMIsvc.dll -- (Winmgmt)
SRV:64bit: - [2012/06/02 15:19:43 | 002,428,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wuaueng.dll -- (wuauserv)
SRV:64bit: - [2010/11/20 20:24:09 | 000,252,416 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\dot3svc.dll -- (dot3svc)
SRV:64bit: - [2009/07/13 18:41:56 | 000,886,784 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wlansvc.dll -- (Wlansvc)
SRV:64bit: - [2010/11/20 20:24:32 | 000,118,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wkssvc.dll -- (LanmanWorkstation)

< • >
[2009/07/13 22:08:49 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2009/07/13 22:08:49 | 000,032,546 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/09/10 18:58:43 | 000,000,368 | ---- | C] () -- C:\Windows\Tasks\At1.job
[2012/10/05 19:10:33 | 000,000,888 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
[2012/10/05 19:10:33 | 000,000,892 | ---- | C] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
[2014/03/09 13:26:19 | 000,000,426 | ---- | C] () -- C:\Windows\Tasks\SlimCleaner Plus (Scheduled Scan - MrZ).job

========== Alternate Data Streams ==========

@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:A9967A61
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:F4C624DE

< End of report >

OTL Extras logfile created on: 8/13/2014 8:49:20 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\MrZ\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17207)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.50 Gb Total Physical Memory | 4.47 Gb Available Physical Memory | 59.58% Memory free
15.00 Gb Paging File | 11.56 Gb Available in Paging File | 77.11% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 223.22 Gb Total Space | 60.11 Gb Free Space | 26.93% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 870.81 Gb Free Space | 93.48% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 29.86 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
Drive F: | 27.84 Gb Total Space | 27.30 Gb Free Space | 98.05% Space Free | Partition Type: FAT32
Drive J: | 100.97 Mb Total Space | 70.54 Mb Free Space | 69.86% Space Free | Partition Type: NTFS
Drive P: | 1862.92 Gb Total Space | 569.71 Gb Free Space | 30.58% Space Free | Partition Type: NTFS
Drive Z: | 100.00 Gb Total Space | 60.11 Gb Free Space | 60.11% Space Free | Partition Type: MFilesFS

Computer Name: WIN7SSD | User Name: MrZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
.js[@ = JSFile] -- Reg Error: Value error. File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.js [@ = JSFile] -- Reg Error: Value error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [open] -- Reg Error: Value error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
jsfile [open] -- Reg Error: Value error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0222F7A3-5683-4EB4-B21C-166CF5585407}" = rport=138 | protocol=17 | dir=out | app=system |
"{03EC3CE2-51B9-45B2-A4DF-A62EDBD28138}" = lport=9083 | protocol=6 | dir=in | name=remote potato - 9083 inbound |
"{084F0E30-BA53-4052-BC60-BFDA68B7E565}" = rport=445 | protocol=6 | dir=out | app=system |
"{0E0E94BB-AF0E-43E0-AFF2-8668B7D21584}" = lport=9082 | protocol=6 | dir=in | name=remote potato - 9082 inbound |
"{2BCBDCBE-F242-4044-84BA-126456AFD7D0}" = lport=139 | protocol=6 | dir=in | app=system |
"{3B1E7657-5255-42E7-A3D9-DDCF5961E6E6}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\outlook.exe |
"{44A650D4-7675-4B83-97E7-904DC20DD487}" = lport=137 | protocol=17 | dir=in | app=system |
"{48A52161-0F56-4178-AD0F-E94CC22B4590}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{544CC461-6F63-438F-ABA3-1B56E0C7A8E8}" = lport=9081 | protocol=6 | dir=in | name=remote potato - 9081 inbound |
"{54FF6518-DD58-441A-AA9D-4D4DA9D72D43}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{56B980F9-942A-4402-A16D-334698AD070D}" = lport=9080 | protocol=6 | dir=in | name=remote potato - 9080 inbound |
"{58C539EC-D457-4E2B-8CC8-C9A530119105}" = lport=138 | protocol=17 | dir=in | app=system |
"{59017C71-38C2-4D85-94A6-CE466C63B339}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\proc.exe |
"{5F30FF4F-092C-4E01-AF52-E460941E7A80}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\pwdg.exe |
"{67FEA594-42F0-4C21-AAD6-FB133B8B1BB5}" = rport=137 | protocol=17 | dir=out | app=system |
"{720DD41E-BAE6-45C5-8ABC-3DCD398453A0}" = lport=8317 | protocol=6 | dir=in | name=techsmith camtasia studio |
"{7248419C-A5CD-4B9F-9354-8BBAE881CDCC}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7E00A694-2FCD-4D4C-95AD-9E2D2D975491}" = lport=9083 | protocol=6 | dir=out | name=remote potato - 9083 outbound |
"{8868E248-1703-4FFC-939C-E4A4FD7F7105}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\proc.exe |
"{AEBF9973-7B65-4148-BC77-6C64B97CDACB}" = lport=445 | protocol=6 | dir=in | app=system |
"{CFF35435-A652-4720-8BDB-C1B8C867CB2E}" = lport=9081 | protocol=6 | dir=out | name=remote potato - 9081 outbound |
"{DE0C3468-6D77-414E-B377-A57A7F2ACF5C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{E1601385-1421-47F0-87E0-F327B86AE778}" = lport=9082 | protocol=6 | dir=out | name=remote potato - 9082 outbound |
"{EC6D74EA-2C80-4529-95D7-F4138D187C2D}" = rport=139 | protocol=6 | dir=out | app=system |
"{EEA56AE0-17F9-47F3-828F-4D68468687D3}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\pwdg.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{13FFD98D-2D58-4626-97A0-593FD6F07F38}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"{244327EF-6AD9-4E98-8611-1234D0B786EB}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer.exe |
"{28B056F5-0222-4B16-9301-B37FB9B6F675}" = protocol=58 | dir=out | [email protected],-28546 |
"{28B598B6-CCDF-4937-841F-4E50324102D2}" = dir=in | app=c:\program files (x86)\mediamall\settingsmanager.exe |
"{29736CF3-A273-4B62-9AE8-E0A39BAA8C04}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"{37C95DE0-9E08-41F9-9AE7-4C094800DAC7}" = dir=in | app=c:\users\mrz\appdata\local\microsoft\skydrive\skydrive.exe |
"{3C15D36E-ED4E-4091-9034-316041AD53E2}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{3D47C613-3B88-49EC-BFB1-87650F43EC79}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer.exe |
"{48403891-0DC7-40FA-82AD-99CE2AD7AC3C}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{491C4BD4-BAB2-4A9E-90B4-72D991AECB1B}" = dir=in | app=c:\program files (x86)\mediamall\mediamallserver.exe |
"{5A529716-1317-41E8-90E6-B5CC7B38870C}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{643145AA-538D-4564-B34B-ECEC6E001BD4}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{75DC6360-108D-464F-AA29-766E55426748}" = protocol=1 | dir=out | [email protected],-28544 |
"{768E87CA-3A87-4293-9077-A13798ECE7BC}" = protocol=17 | dir=in | app=c:\users\mrz\appdata\roaming\utorrent\utorrent.exe |
"{7B6B2FF4-6723-4C96-97F8-89BD28815386}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{7F9096F7-EB12-45BA-A3B5-5FBB8CDCDE9D}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{80B2A321-845F-4D33-8EB3-D6C1E3C54857}" = protocol=1 | dir=in | [email protected],-28543 |
"{81B84C98-7713-472D-ACF2-F5DD5509442C}" = dir=in | app=c:\program files (x86)\mediamall\playmark.exe |
"{859B7060-38C1-4578-ACF0-6FF79952FDA4}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer_service.exe |
"{86BD1267-9188-42CE-9ABF-61291307630D}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer_service.exe |
"{8EC675EE-431A-4C90-937B-3CDDE55EACB8}" = protocol=58 | dir=out | [email protected],-503 |
"{8F0C681A-B825-4002-8F90-46F5E8B1F3CE}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"{911A3E7E-53F0-4B3B-BE7C-8FE401C2E47B}" = protocol=58 | dir=in | app=system |
"{9D910501-3CFD-48B9-9E58-C2CCD36865B2}" = protocol=58 | dir=in | [email protected],-28545 |
"{A12A3C39-19E1-40B2-A789-709B90E04796}" = protocol=6 | dir=in | app=c:\users\mrz\appdata\roaming\utorrent\utorrent.exe |
"{AA7DAFB0-EFFF-4ACC-B84B-D4F0D7C25D85}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D52174E6-6911-4DE4-9926-00A2D09A7C68}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{E766AB89-6632-4995-B225-15DFDED8C901}" = dir=in | app=c:\program files (x86)\mediamall\playlater.exe |
"{EEB94B36-F51C-4CA5-AE7E-6A8ADA812C30}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{F372DDEC-993C-4988-B9CB-F18C1C823BB3}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"TCP Query User{8A4E8C65-54AA-48CF-A296-3593EDC7A574}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{BEEC2C70-E5F6-4197-A3BA-C541BD661B34}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1374CC63-B520-4f3f-98E8-E9020BF01CFF}" = Windows XP Mode
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{23D2AFC7-C01E-4413-9D9A-0BABF52569BF}" = Microsoft Mouse and Keyboard Center
"{31E8F586-4EF7-4500-844D-BA8756474FF1}" = Windows Automated Installation Kit
"{49D665A2-4C2A-476E-9AB8-FCC425F526FC}" = Microsoft SQL Server 2012 Native Client
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{504022CD-6A58-42D5-ACC9-966F695AAD93}_is1" = PDF-XChange 2012
"{54E6C675-3AD4-42E4-957F-31666ABF1603}" = Adobe Photoshop Lightroom 5.2 64-bit
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{619A89DE-5F01-11E2-85E8-000C2982512D}" = Paragon Hard Disk Manager™ 14 Premium Edition
"{6C4958DF-4B1A-4290-947B-5F6AFDC74398}" = AirParrot
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{787136D2-F0F8-4625-AA3F-72D7795AC842}" = Apple Mobile Device Support
"{7DEBE4EB-6B40-3766-BB35-5CBBC385DA37}" = Microsoft .NET Framework 4.5.1
"{81E20D41-C277-4526-934D-F2380AF91B78}" = iCloud
"{8424B163-D1E0-48B7-88A2-C7A61767B3D7}" = Microsoft SQL Server Compact 4.0 x64 ENU
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-00D1-0409-1000-0000000FF1CE}" = Microsoft Access database engine 2010 (English)
"{90150000-002A-0000-1000-0000000FF1CE}" = Microsoft Office 64-bit Components 2013
"{90150000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2013
"{90150000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{97E3E5AA-72FA-45D3-98FF-4C5E321D8555}" = M-Files 9.0.3372.41
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B5121457-0126-4E62-BCBF-6DC7C73D9E4A}" = Oracle VM VirtualBox 4.3.12
"{B71CCF77-38A2-4805-9759-A6F7D2C52F3A}" = Adobe Photoshop Lightroom 4.2 64-bit
"{B8BA155B-1E75-405F-9CB4-8A99615D09DC}" = iTunes
"{C79A7EAB-9D6F-4072-8A6D-F8F54957CD93}" = Microsoft SQL Server 2008 Native Client
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}" = COMODO Internet Security
"{E2B8249D-895C-4685-8C83-00F3B1A13028}" = Microsoft Web Platform Installer 4.0
"{E851486F-1FE2-44F0-85ED-F969088A68EE}" = PHP Manager 1.2 for IIS 7
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"HitmanPro37" = HitmanPro 3.7
"ImagenomicPortraitureLightroomPlugin" = Imagenomic Portraiture 2.2 Lightroom Plug-in (build 2207)
"Microsoft Mouse and Keyboard Center" = Microsoft Mouse and Keyboard Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{111EE7DF-FC45-40C7-98A7-753AC46B12FB}" = QuickTime 7
"{185F9795-9663-4F13-9EF9-307A282ADB5A}" = ph
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{262425E7-A5A0-5630-8FB2-FE6E6A650872}" = Boot Media Builder for Paragon Hard Disk Manager™ 12 Server
"{26A24AE4-039D-4CA4-87B4-2F03217067FF}" = Java 7 Update 67
"{272C8DEE-F54F-406C-9AA6-B4DE2985A47C}" = Flash Drive Tester v1.14
"{2A075BB4-E976-4278-BF3F-E5C6945D84C0}" = bl
"{2EEEC858-21F8-419B-8FE2-820621BFFCD7}" = GetDataBack for FAT
"{489687BC-3B2A-401F-920B-0B1E97DDB287}" = Eclipse OCR Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}" = GetDataBack for NTFS
"{5ABDB125-7725-40B6-A1E3-B7D8BFFAA303}" = PlayLater
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6EA6D4E3-134D-4A11-AF2A-7986F61BB2F6}" = ImageRescue3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7764F7B0-7225-4145-82B6-2AB4540D33A6}" = Eye-Fi Center 3.4
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B6D00DA-AE9D-44B3-A91B-4695AA803B3F}" = Serif Premium Image Collection 6
"{7D427BD1-1C88-4007-BBFB-C2DD2ED48C63}" = Serif WebPlus X5
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90150000-0015-0409-0000-0000000FF1CE}" = Microsoft Access MUI (English) 2013
"{90150000-0016-0409-0000-0000000FF1CE}" = Microsoft Excel MUI (English) 2013
"{90150000-0018-0409-0000-0000000FF1CE}" = Microsoft PowerPoint MUI (English) 2013
"{90150000-0019-0409-0000-0000000FF1CE}" = Microsoft Publisher MUI (English) 2013
"{90150000-001A-0409-0000-0000000FF1CE}" = Microsoft Outlook MUI (English) 2013
"{90150000-001B-0409-0000-0000000FF1CE}" = Microsoft Word MUI (English) 2013
"{90150000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - English
"{90150000-001F-040C-0000-0000000FF1CE}" = Outils de vérification linguistique 2013 de Microsoft Office - Français
"{90150000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Español
"{90150000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2013
"{90150000-0044-0409-0000-0000000FF1CE}" = Microsoft InfoPath MUI (English) 2013
"{90150000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2013
"{90150000-0090-0409-0000-0000000FF1CE}" = Microsoft DCF MUI (English) 2013
"{90150000-00A1-0409-0000-0000000FF1CE}" = Microsoft OneNote MUI (English) 2013
"{90150000-00BA-0409-0000-0000000FF1CE}" = Microsoft Groove MUI (English) 2013
"{90150000-00E1-0409-0000-0000000FF1CE}" = Microsoft Office OSM MUI (English) 2013
"{90150000-00E2-0409-0000-0000000FF1CE}" = Microsoft Office OSM UX MUI (English) 2013
"{90150000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2013
"{90150000-0117-0409-0000-0000000FF1CE}" = Microsoft Access Setup Metadata MUI (English) 2013
"{90150000-012B-0409-0000-0000000FF1CE}" = Microsoft Lync MUI (English) 2013
"{91150000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2013
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{9489257A-CED5-45E7-8D16-7B20A2E48744}" = PlayOn
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B65F9A3-9D24-452A-B6EF-1457D65E4259}" = ScorpionSaver
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A73D4BEE-2BBE-4285-BF6C-4B8C7C001630}" = Zend Studio 9.0.1
"{A7727F03-5311-4A12-9A63-2ACD20BA0497}" = Camtasia Studio 8
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.5)
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C6FEBDB4-DC98-4D10-A659-B3EB49DC2FFF}" = Eclipse ISIS Scanning Support
"{E2B31B67-9795-4EF9-9AC6-B683E7B11BE6}_is1" = FotoFusion v5
"{EFBE6DD5-B224-96E5-72B9-68D328CB12A6}" = Adobe Widget Browser
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F17C3DC2-2ACA-4B0E-BDBF-ACE61B14E7CD}" = Citrix Online Launcher
"{F1C324A1-5562-4956-BF70-253825D53F87}" = Eclipse Imaging Support
"{FA653F5B-483A-4E92-BF75-BB3BBF1D550D}" = LogMeIn
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.22beta
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 14 ActiveX
"CleanUp!" = CleanUp!
"com.adobe.WidgetBrowser" = Adobe Widget Browser
"DVDFab 9.0.7.2 Final9.0.7.2" = DVDFab 9.0.7.2 Final
"Google Chrome" = Google Chrome
"HDClone.Professional.4.2.2.1033-{C5DE40C1-8962-4998-9A4C-E2B1130723F3}" = HDClone 4.2 Professional Edition
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.2.1012
"NirSoft ProduKey" = NirSoft ProduKey
"Notepad++" = Notepad++
"Office15.PROPLUSR" = Microsoft Office Professional Plus 2013
"Photodex Presenter" = Photodex Presenter
"ProShow Gold" = ProShow Gold
"ProShow Plugins for Lightroom" = ProShow Plugins for Lightroom
"RealFlight7Pro" = RealFlight 7 R/C Simulator
"SMTP Diagnostics_is1" = SMTP Diagnostics 1.8.0.74
"Stellar Phoenix Outlook PST Repair_is1" = Stellar Phoenix Outlook PST Repair
"TeamViewer 9" = TeamViewer 9
"TreeSize Free_is1" = TreeSize Free V2.7
"VirtualCloneDrive" = VirtualCloneDrive
"XXConsole" = XXConsole: Super Console Generator ver 0.96

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"fc3ac04dc8eedef7" = Web Launcher
"OneDriveSetup.exe" = Microsoft OneDrive
"uTorrent" = µTorrent
"XBMC" = XBMC

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/11/2014 3:00:02 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:28:07 PM | Computer Name = Win7ssd | Source = WinMgmt | ID = 10
Description =

Error - 8/12/2014 10:32:40 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:32:41 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:32:41 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:33:00 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 1:03:58 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 3:00:00 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 6:47:35 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 11:42:51 PM | Computer Name = Win7ssd | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 8/13/2014 8:27:11 AM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 8:30:48 AM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 8:33:51 AM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 8:36:06 AM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 8:38:41 AM | Computer Name = Win7ssd | Source = DCOM | ID = 10010
Description =

Error - 8/13/2014 11:42:39 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:46:04 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:47:56 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:52:26 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:52:59 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

< End of report >

Edited by bhzendner, 13 August 2014 - 10:01 PM.

#4
bhzendner

Posted 13 August 2014 - 10:07 PM

Member

Topic Starter
Member
226 posts

Thought I might have done it wrong so here it is again.

OTL logfile created on: 8/13/2014 8:59:56 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\MrZ\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17207)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.50 Gb Total Physical Memory | 4.54 Gb Available Physical Memory | 60.55% Memory free
15.00 Gb Paging File | 11.50 Gb Available in Paging File | 76.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 223.22 Gb Total Space | 60.11 Gb Free Space | 26.93% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 870.81 Gb Free Space | 93.48% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 29.86 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
Drive F: | 27.84 Gb Total Space | 27.30 Gb Free Space | 98.05% Space Free | Partition Type: FAT32
Drive J: | 100.97 Mb Total Space | 70.54 Mb Free Space | 69.86% Space Free | Partition Type: NTFS
Drive P: | 1862.92 Gb Total Space | 569.71 Gb Free Space | 30.58% Space Free | Partition Type: NTFS
Drive Z: | 100.00 Gb Total Space | 60.11 Gb Free Space | 60.11% Space Free | Partition Type: MFilesFS

Computer Name: WIN7SSD | User Name: MrZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2014/08/13 20:47:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\MrZ\Desktop\OTL.exe
PRC - [2014/08/06 02:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
PRC - [2014/08/03 15:41:45 | 003,428,672 | ---- | M] (LogMeIn, Inc.) -- C:\Users\MrZ\AppData\Local\LogMeIn Client\LogMeIn Client.exe
PRC - [2014/08/03 15:41:45 | 000,375,128 | ---- | M] (LogMeIn, Inc.) -- C:\Users\MrZ\AppData\Local\LogMeIn Client\LMIGuardian.exe
PRC - [2014/08/02 12:32:19 | 000,251,040 | ---- | M] (Microsoft Corporation) -- C:\Users\MrZ\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
PRC - [2014/05/12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
PRC - [2014/05/12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
PRC - [2014/05/12 07:24:34 | 006,970,168 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
PRC - [2014/03/28 04:28:37 | 000,067,904 | ---- | M] (MediaMall Technologies, Inc.) -- C:\Program Files (x86)\MediaMall\PlayOn.exe
PRC - [2014/03/28 04:27:56 | 005,454,640 | ---- | M] (MediaMall Technologies, Inc.) -- C:\Program Files (x86)\MediaMall\MediaMallServer.exe
PRC - [2014/01/26 16:31:49 | 000,186,760 | ---- | M] () -- C:\Program Files (x86)\Photodex\ProShow Gold\scsiaccess.exe
PRC - [2013/11/20 16:43:26 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
PRC - [2013/11/20 16:43:14 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
PRC - [2013/11/14 04:29:33 | 000,863,184 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
PRC - [2013/09/14 04:27:52 | 000,059,720 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Internet Services\APSDaemon.exe
PRC - [2013/02/16 22:50:26 | 002,529,120 | ---- | M] (M-Files Corporation) -- C:\Program Files\M-Files\9.0.3372.41\Bin\x86\MFServerAux.exe
PRC - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/22 00:11:26 | 003,961,464 | ---- | M] (Eye-Fi, Inc.) -- C:\Program Files (x86)\Eye-Fi\Helper\EyeFiHelper.exe
PRC - [2010/11/17 09:53:16 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

========== Modules (No Company Name) ==========

MOD - [2014/08/03 15:41:45 | 004,565,336 | ---- | M] () -- C:\Users\MrZ\AppData\Local\LogMeIn Client\RACtrl.dll
MOD - [2014/08/03 15:41:45 | 000,009,584 | ---- | M] () -- C:\Users\MrZ\AppData\Local\LogMeIn Client\ractrlkeyhook.dll
MOD - [2014/06/10 13:19:06 | 008,892,072 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
MOD - [2014/02/26 22:25:50 | 012,894,208 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\f4f6ee0df2aa4189bf36e6335cb92761\System.Windows.Forms.ni.dll
MOD - [2014/02/26 22:25:46 | 006,990,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\dce99d8de14d8a015313db98c72552ee\System.Core.ni.dll
MOD - [2014/02/26 22:25:44 | 001,644,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\5cd2aee5e7c07227c694d89219688ab3\System.Drawing.ni.dll
MOD - [2014/02/26 22:25:42 | 010,060,800 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ff26cc03e6d57d8abd13b990332e67c6\System.ni.dll
MOD - [2014/02/26 22:25:39 | 000,198,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\92e9bacef49552a4485fbb7523782133\CustomMarshalers.ni.dll
MOD - [2014/02/26 22:25:38 | 016,953,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\ce5f61c5754789df97be8dc991c47d07\mscorlib.ni.dll
MOD - [2014/02/12 06:19:27 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b34b348a9935338b1282fd0c9309eb1f\System.ServiceProcess.ni.dll
MOD - [2014/02/12 06:18:59 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\8bc548587e91ecf0552a40e47bbf99cc\System.Windows.Forms.ni.dll
MOD - [2014/02/12 06:18:54 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5c24d3b0041ebf4f48a93615b9fa3de9\System.Drawing.ni.dll
MOD - [2014/02/12 06:18:38 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b3a78269847005365001c33870cd121f\System.ni.dll
MOD - [2014/02/12 06:18:35 | 011,499,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ede2c6c842840e009f01bcc74fa4c457\mscorlib.ni.dll
MOD - [2014/01/23 15:55:44 | 001,030,312 | ---- | M] () -- C:\Program Files (x86)\Microsoft Office\Office15\ADDINS\UmOutlookAddin.dll
MOD - [2013/11/14 04:29:31 | 000,399,312 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ppgooglenaclpluginchrome.dll
MOD - [2013/11/14 04:29:29 | 004,055,504 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\pdf.dll
MOD - [2013/11/14 04:28:37 | 000,702,416 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\libglesv2.dll
MOD - [2013/11/14 04:28:36 | 000,099,792 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\libegl.dll
MOD - [2013/11/14 04:28:34 | 001,619,408 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ffmpegsumo.dll
MOD - [2013/09/14 02:51:02 | 000,087,952 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Internet Services\zlib1.dll
MOD - [2013/09/14 02:50:36 | 001,242,952 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Internet Services\libxml2.dll
MOD - [2011/12/21 23:59:12 | 000,133,120 | ---- | M] () -- C:\Program Files (x86)\Eye-Fi\Helper\libexif.dll
MOD - [2011/12/21 23:56:16 | 000,209,408 | ---- | M] () -- C:\Program Files (x86)\Eye-Fi\Helper\libopenraw.dll

========== Services (SafeList) ==========

SRV:64bit: - [2014/07/17 19:21:28 | 000,127,752 | ---- | M] (SurfRight B.V.) [Auto | Running] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV:64bit: - [2014/06/18 17:24:12 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2013/05/26 22:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2013/02/16 22:50:48 | 007,759,712 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe -- (MFClient 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:44 | 003,459,424 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfdataexport.exe -- (MFDataExport 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:40 | 002,759,008 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfindexingmanager.exe -- (MFIndexingManager 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:38 | 031,902,560 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfserver.exe -- (MFServer 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:26 | 002,529,120 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x86\mfserveraux.exe -- (MFServerAux 9.0.3372.41)
SRV:64bit: - [2013/02/16 22:50:08 | 002,914,656 | ---- | M] (M-Files Corporation) [Auto | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfsetup.exe -- (MFSetup 9.0.3372.41)
SRV:64bit: - [2013/01/12 12:26:30 | 000,140,672 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2012/03/11 21:13:24 | 002,815,496 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV:64bit: - [2011/04/20 02:04:20 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/12/21 10:44:06 | 000,535,552 | ---- | M] (CSR, plc) [Auto | Running] -- C:\Windows\SysNative\HFGService.dll -- (HFGService)
SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2008/05/07 16:29:38 | 000,122,880 | ---- | M] (CrypKey (Canada) Ltd.) [Auto | Running] -- C:\Windows\SysNative\Crypserv.exe -- (Crypkey License)
SRV - [2014/08/06 02:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe -- (TeamViewer9)
SRV - [2014/07/19 09:09:28 | 000,226,640 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\ramaint.exe -- (LMIMaint)
SRV - [2014/07/19 09:09:25 | 000,376,144 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2014/05/12 07:24:42 | 000,860,472 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2014/05/12 07:24:40 | 001,809,720 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2014/03/28 04:27:56 | 005,454,640 | ---- | M] (MediaMall Technologies, Inc.) [Auto | Running] -- C:\Program Files (x86)\MediaMall\MediaMallServer.exe -- (MediaMall Server)
SRV - [2014/01/26 16:31:49 | 000,186,760 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\Photodex\ProShow Gold\scsiaccess.exe -- (ScsiAccess)
SRV - [2013/09/11 22:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/11/29 12:56:50 | 000,407,424 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe -- (LogMeIn)
SRV - [2010/11/20 20:24:51 | 000,397,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2010/11/20 20:24:51 | 000,397,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2010/11/20 20:24:51 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/06/10 14:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2014/08/13 20:48:41 | 000,122,584 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys -- (MBAMSwissArmy)
DRV:64bit: - [2014/07/19 09:09:26 | 000,107,368 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2014/05/16 14:03:30 | 000,141,600 | ---- | M] (Oracle Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
DRV:64bit: - [2014/05/12 07:26:10 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:64bit: - [2014/05/12 07:25:56 | 000,025,816 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2014/03/19 15:23:14 | 000,050,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2013/11/26 13:26:34 | 000,025,992 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\uim_devim.sys -- (Uim_DEVIM)
DRV:64bit: - [2013/11/26 13:26:32 | 000,700,680 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\uim_im.sys -- (Uim_IM)
DRV:64bit: - [2013/11/26 13:26:32 | 000,102,664 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\UimBus.sys -- (UimBus)
DRV:64bit: - [2013/11/26 13:26:30 | 000,034,056 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\hotcore3.sys -- (hotcore3)
DRV:64bit: - [2013/10/01 19:22:20 | 000,056,832 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2013/03/05 20:28:18 | 000,028,528 | ---- | M] (MediaMall Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\povrtdev.sys -- (msvad_simple)
DRV:64bit: - [2013/02/16 22:11:42 | 000,105,280 | ---- | M] (M-Files Corporation) [File_System | On_Demand | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\MFFSD.sys -- (MFFSDCE226221-400E-4813-A98D-44DD7E269D32)
DRV:64bit: - [2013/02/16 22:10:58 | 000,022,336 | ---- | M] (M-Files Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\M-Files\9.0.3372.41\Bin\x64\MFVDD.sys -- (MFVDD97C82C14-5040-40A9-AFC1-442DBE92CBE8)
DRV:64bit: - [2012/12/18 15:05:06 | 000,105,112 | ---- | M] (Miray) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mvd.sys -- (MirayVirtualDisk)
DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/11/29 12:56:50 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2012/11/29 12:56:30 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2012/09/24 18:12:02 | 000,015,808 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AVVideoCardMirror.sys -- (AirDisplayMirror)
DRV:64bit: - [2012/09/24 18:12:02 | 000,015,808 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AVVideoCard.sys -- (AirDisplay)
DRV:64bit: - [2012/08/23 07:12:16 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2012/08/23 07:10:20 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2012/08/23 07:08:26 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/03/11 21:13:40 | 000,022,696 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\SysNative\drivers\cmderd.sys -- (cmderd)
DRV:64bit: - [2012/02/29 23:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/11/03 03:01:00 | 000,056,208 | ---- | M] (Rovi Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2011/07/22 09:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 14:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/06/10 06:34:52 | 000,539,240 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2011/04/20 01:22:34 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2011/03/10 23:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/10 23:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/02/10 14:52:34 | 000,181,760 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2011/02/10 14:52:34 | 000,082,432 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2011/01/15 09:21:04 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone)
DRV:64bit: - [2010/12/16 15:58:14 | 000,040,816 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV:64bit: - [2010/11/20 20:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 20:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 20:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 20:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 06:34:04 | 000,360,832 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcvmm.sys -- (vpcvmm)
DRV:64bit: - [2010/11/20 06:34:04 | 000,194,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpchbus.sys -- (vpcbus)
DRV:64bit: - [2010/11/20 04:35:34 | 000,095,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\vpcusb.sys -- (vpcusb)
DRV:64bit: - [2010/11/20 04:35:22 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV:64bit: - [2009/12/21 10:43:36 | 000,052,224 | ---- | M] (CSR, plc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BthAudioHF.sys -- (BthAudioHF)
DRV:64bit: - [2009/12/21 10:43:00 | 000,078,848 | ---- | M] (CSR, plc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\bthav.sys -- (csr_a2dp)
DRV:64bit: - [2009/08/13 08:38:24 | 000,029,184 | ---- | M] (CSR, plc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\BthAvrcp.sys -- (BthAvrcp)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV:64bit: - [2008/04/16 14:49:34 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\RimUsb_AMD64.sys -- (RimUsb)
DRV:64bit: - [2008/03/17 10:12:26 | 000,028,664 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\Ckldrv.sys -- (NetworkX)
DRV - [2013/05/31 05:02:09 | 000,016,056 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files (x86)\LogMeIn\x64\rainfo.sys -- (LMIInfo)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft..../?LinkId=255141
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../?LinkId=255141
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft..../?LinkId=255141
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft..../?LinkId=255141
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:3128
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" =

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CE 0D 5F 79 01 8D CF 01 [binary data]
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\SysWOW64\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.67.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.67.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Lync,version=15.0: C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@photodex.com/PhotodexPresenter: C:\Program Files (x86)\Photodex Presenter\npPxPlay.dll ( )
FF - HKLM\Software\MozillaPlugins\@playon.tv/PlayOnToolbar: C:\Program Files (x86)\MediaMall\toolbar\npVT.dll (MediaMall Technologies, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeExManDetect: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll File not found
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Users\MrZ\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF - HKCU\Software\MozillaPlugins\@spoon.net/Spoon Plugin 3.33: C:\Users\MrZ\AppData\Local\Spoon\3.33.6.270\npMozillaSpoonPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3c9761ad-a43d-4447-b924-f5d83cb48063}: C:\Program Files (x86)\Zend\Zend Studio 9.0.1\toolbars\firefox [2012/10/14 11:36:42 | 000,000,000 | ---D | M]

[2013/12/01 11:43:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\extensions
[2012/08/25 17:50:01 | 000,000,000 | ---D | M] (uTorrentControl_v2) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}
[2014/08/02 16:01:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions
[2014/06/19 19:26:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\extensions
[2012/09/27 09:59:30 | 000,000,000 | ---D | M] (OneClickDownloader) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\[email protected]
[2013/10/17 12:23:22 | 000,034,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\22.0.1229.79\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\pdf.dll
CHR - plugin: Conduit Chrome Plugin (Enabled) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/ConduitChromeApiPlugin.dll
CHR - plugin: Conduit Radio Plugin (Enabled) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/np-cwmp.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.2 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2013 (Enabled) = C:\PROGRA~2\MICROS~3\Office15\NPSPWRAP.DLL
CHR - plugin: Microsoft Office 2013 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.3.10_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.3.11_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.3.8_0\
CHR - Extension: Chrome RDP = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cbkkbcmdlboombapidmoeolnmdacpkch\4.4.2_0\
CHR - Extension: Google Search = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: iCloud Bookmarks = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkepacicchenbjecpbpbclokcabebhah\1.2.12_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\30.0.1599.86_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\32.0.1700.63_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\32.0.1700.98_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\32.0.1700.99_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\33.0.1750.125_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\33.0.1750.126_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\33.0.1750.126_0\~
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\34.0.1847.90_0\
CHR - Extension: Chrome Remote Desktop = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbchcmhmhahfdphkhkmpfmihenigjmpp\34.0.1847.90_0\~
CHR - Extension: PlayOn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ienaefcpghbmccojmklhdffdobkbencj\1.0_0\
CHR - Extension: PlayOn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ienaefcpghbmccojmklhdffdobkbencj\1.0_1\
CHR - Extension: PlayOn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ienaefcpghbmccojmklhdffdobkbencj\1.0_2\
CHR - Extension: ActiveX for Chrome = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgllffgicojgllpmdbemgglaponefajn\1.5.0.7_0\
CHR - Extension: CSS3Clock = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\njoeghbchhecmmnlkgpoljfpdggoffbi\1.1.5_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1029_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1078_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1080_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgnihglilniboicepgjclfiageofdfj\1.0.0.1082_0\
CHR - Extension: Google Wallet = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0\
CHR - Extension: Google Wallet = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_0\
CHR - Extension: Google Wallet = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: AccessNow by Ericom (RDP client) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\npaobnlmoaflieppdiljaekgeemaplhe\2.1.0.1_0\
CHR - Extension: GreatArcadeHits = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocifcogajbgikalbpphmoedjlcfjkhgh\1.0.7_0\
CHR - Extension: LogMeIn = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\omkjapkpkiciphacnalicgmmcelfolon\1.0.0.1037_0\
CHR - Extension: Gmail = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_0\
CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_1\
CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_2\

O1 HOSTS File: ([2014/05/31 12:49:11 | 000,000,045 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 54.235.90.58 pmicfehfblhebdfbhfgmmfcaikafckac
O2:64bit: - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - No CLSID value found.
O2:64bit: - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O2:64bit: - BHO: (no name) - {56bc31de-97ab-4563-8599-ad5d4e9800f9} - No CLSID value found.
O2:64bit: - BHO: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
O2:64bit: - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Zend Studio) - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files (x86)\Zend\Zend Studio 9.0.1\toolbars\ZendIEToolbar.dll (Zend Technologies Ltd)
O3 - HKLM\..\Toolbar: (PlayOn) - {9A87E478-A2BD-44C4-9F8C-D3989A5271B1} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O3 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O3 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4:64bit: - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4:64bit: - HKLM..\Run: [LogMeIn GUI] C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe (LogMeIn, Inc.)
O4:64bit: - HKLM..\Run: [M-Files Status 9.0.3372.41] C:\Program Files\M-Files\9.0.3372.41\Bin\x64\MFStatus.exe (M-Files Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Oracle Corporation)
O4 - HKLM..\Run: [VirtualCloneDrive] C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG)
O4 - HKU\.DEFAULT..\Run: [RemotePotatoIRHelper] C:\Program Files (x86)\FatAttitude\Remote Potato\RPKeySender.exe File not found
O4 - HKU\S-1-5-18..\Run: [RemotePotatoIRHelper] C:\Program Files (x86)\FatAttitude\Remote Potato\RPKeySender.exe File not found
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [AdobeBridge] File not found
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [Eye-Fi] C:\Program Files (x86)\Eye-Fi\Helper\EyeFiHelper.exe (Eye-Fi, Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe (Apple Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [PlayOn] C:\Program Files (x86)\MediaMall\PlayOn.exe (MediaMall Technologies, Inc.)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [SkyDrive] C:\Users\MrZ\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_125_ActiveX.exe -update activex File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceActiveDesktopOn = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O9:64bit: - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:64bit: - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra Button: PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O9:64bit: - Extra 'Tools' menuitem : PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho64.dll (MediaMall Technologies, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O9 - Extra 'Tools' menuitem : PlayOn - {936CEA21-9A68-46D9-A31B-1173A976D896} - C:\Program Files (x86)\MediaMall\toolbar\pobho.dll (MediaMall Technologies, Inc.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000001 [] - C:\Windows\SysNative\nlaapi.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000002 [] - C:\Windows\SysNative\NapiNSP.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000003 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000004 [] - C:\Windows\SysNative\pnrpnsp.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000005 [] - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000006 [] - C:\Windows\SysNative\winrnr.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Windows\SysNative\wshbth.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000011 - C:\Windows\SysNative\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Windows\SysWOW64\nlaapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\SysWOW64\NapiNSP.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\SysWOW64\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Windows\SysWOW64\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Windows\SysWOW64\wshbth.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\SysWOW64\mswsock.dll (Microsoft Corporation)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} https://secure.logme...scueControl.cab (LogMeIn Rescue Technician Console)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.6.2.cab (DLM Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://control.itsu...nts/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://docstar.webe...br/ieatgpc1.cab (GpcContainer Class)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...rl.cab?lmi=1058 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{47A47527-624A-430E-829B-1177324A0A7A}: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysNative\inetcomm.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysNative\urlmon.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysNative\itss.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\osf - No CLSID value found
O18:64bit: - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysNative\MSVidCtl.dll (Microsoft Corporation)
O18:64bit: - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysNative\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\SysWOW64\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\SysWOW64\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files (x86)\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\SysWOW64\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\osf {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\SysWOW64\MSVidCtl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\SysWOW64\mshtml.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysNative\mscoree.dll (Microsoft Corporation)
O18:64bit: - Protocol\Filter\text/xml {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\SysWow64\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL (Microsoft Corporation)
O20:64bit: - AppInit_DLLs: (C:\Windows\system32\guard64.dll) - C:\Windows\SysNative\guard64.dll (COMODO)
O20 - AppInit_DLLs: (C:\Windows\SysWOW64\guard32.dll) - C:\Windows\SysWOW64\guard32.dll (COMODO)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O29:64bit: - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - C:\Windows\SysWow64\credssp.dll (Microsoft Corporation)
O30:64bit: - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (kerberos) - C:\Windows\SysNative\kerberos.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (msv1_0) - C:\Windows\SysNative\msv1_0.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (schannel) - C:\Windows\SysNative\schannel.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (wdigest) - C:\Windows\SysNative\wdigest.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (tspkg) - C:\Windows\SysNative\tspkg.dll (Microsoft Corporation)
O30:64bit: - LSA: Security Packages - (pku2u) - C:\Windows\SysNative\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\Windows\SysWow64\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\Windows\SysWow64\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\Windows\SysWow64\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\Windows\SysWow64\wdigest.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (tspkg) - C:\Windows\SysWow64\tspkg.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\SysWow64\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/07/16 15:33:00 | 000,000,032 | -H-- | M] () - D:\Autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/08/13 20:47:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\MrZ\Desktop\OTL.exe
[2014/08/12 19:33:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2014/08/12 19:33:14 | 000,272,808 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/08/12 19:33:06 | 000,098,216 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/08/12 19:33:06 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/08/12 19:33:05 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/08/12 19:33:05 | 000,175,528 | ---- | C] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/08/10 18:17:25 | 000,000,000 | ---D | C] -- C:\Users\MrZ\AppData\Roaming\30765
[2014/08/09 18:53:39 | 000,000,000 | ---D | C] -- C:\Users\MrZ\AppData\Roaming\TeamViewer
[2014/08/09 18:53:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TeamViewer
[2014/08/02 16:01:45 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/08/02 16:00:31 | 001,016,261 | ---- | C] (Thisisu) -- C:\Users\MrZ\Desktop\JRT.exe
[2014/08/02 15:54:16 | 001,942,776 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\MrZ\Desktop\rkill.exe
[2014/07/21 18:19:19 | 000,000,000 | ---D | C] -- C:\Users\MrZ\AppData\Local\Adobe
[2014/07/20 16:14:44 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec

========== Files - Modified Within 30 Days ==========

[2014/08/13 21:00:58 | 001,474,832 | ---- | M] () -- C:\Windows\SysNative\drivers\sfi.dat
[2014/08/13 20:48:41 | 000,122,584 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/08/13 20:48:22 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/08/13 20:48:22 | 000,021,888 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/08/13 20:47:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\MrZ\Desktop\OTL.exe
[2014/08/13 20:46:48 | 000,823,190 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/08/13 20:46:48 | 000,695,254 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/08/13 20:46:48 | 000,131,356 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/08/13 20:41:27 | 000,000,888 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/08/13 20:41:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/08/13 20:41:01 | 1744,183,295 | -HS- | M] () -- C:\hiberfil.sys
[2014/08/13 05:11:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/08/12 20:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\tasks\At1.job
[2014/08/12 19:33:02 | 000,098,216 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
[2014/08/12 19:33:01 | 000,272,808 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaws.exe
[2014/08/12 19:33:01 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\javaw.exe
[2014/08/12 19:33:01 | 000,175,528 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\java.exe
[2014/08/12 19:26:32 | 005,074,160 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014/08/10 12:26:00 | 000,000,426 | ---- | M] () -- C:\Windows\tasks\SlimCleaner Plus (Scheduled Scan - MrZ).job
[2014/08/09 18:53:37 | 000,001,171 | ---- | M] () -- C:\Users\Public\Desktop\TeamViewer 9.lnk
[2014/08/02 18:11:03 | 000,838,450 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/08/02 16:00:40 | 001,016,261 | ---- | M] (Thisisu) -- C:\Users\MrZ\Desktop\JRT.exe
[2014/08/02 15:58:22 | 001,361,309 | ---- | M] () -- C:\Users\MrZ\Desktop\adwcleaner_3.302.exe
[2014/08/02 15:54:24 | 001,942,776 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\MrZ\Desktop\rkill.exe
[2014/07/19 09:09:26 | 000,107,368 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIRfsClientNP.dll
[2014/07/19 09:09:26 | 000,092,488 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIinit.dll
[2014/07/19 09:09:26 | 000,035,656 | ---- | M] (LogMeIn, Inc.) -- C:\Windows\SysNative\LMIport.dll

========== Files Created - No Company Name ==========

[2014/08/09 18:53:37 | 000,001,183 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
[2014/08/09 18:53:37 | 000,001,171 | ---- | C] () -- C:\Users\Public\Desktop\TeamViewer 9.lnk
[2014/08/02 15:58:18 | 001,361,309 | ---- | C] () -- C:\Users\MrZ\Desktop\adwcleaner_3.302.exe
[2014/05/03 08:14:56 | 000,000,856 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/01/19 16:28:28 | 000,004,608 | ---- | C] () -- C:\Users\MrZ\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2014/01/17 23:20:21 | 000,000,004 | ---- | C] () -- C:\Windows\vx86036.dat
[2014/01/17 23:19:49 | 000,000,074 | ---- | C] () -- C:\Windows\Crypkey.ini
[2014/01/17 23:19:47 | 000,027,648 | R--- | C] () -- C:\Windows\Setup_ck.exe
[2014/01/17 23:19:47 | 000,018,432 | ---- | C] () -- C:\Windows\Setup_ck.dll
[2014/01/17 23:19:47 | 000,011,776 | ---- | C] () -- C:\Windows\Ckrfresh.exe
[2013/12/06 20:47:03 | 000,000,282 | ---- | C] () -- C:\Windows\ODBC.INI
[2013/10/10 14:35:10 | 000,009,584 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll
[2012/11/19 22:37:12 | 000,000,600 | ---- | C] () -- C:\Users\MrZ\PUTTY.RND
[2012/10/14 11:41:43 | 000,000,005 | -H-- | C] () -- C:\Users\MrZ\.zs
[2012/09/27 20:14:29 | 000,012,354 | ---- | C] () -- C:\Users\MrZ\barcodei4.php
[2012/09/27 20:06:51 | 000,012,354 | ---- | C] () -- C:\Users\MrZ\barcodei3.php
[2012/09/23 21:08:37 | 000,007,618 | ---- | C] () -- C:\Users\MrZ\AppData\Local\Resmon.ResmonCfg
[2012/09/16 12:49:56 | 000,002,558 | ---- | C] () -- C:\Users\MrZ\index2.php
[2012/09/15 16:39:15 | 000,002,493 | ---- | C] () -- C:\Users\MrZ\iisstart.php
[2012/08/30 20:26:35 | 000,000,100 | ---- | C] () -- C:\Windows\1FB169BC-703B-4282-BD96-2CCF743D3814.ini

========== ZeroAccess Check ==========

[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/03/24 19:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/03/24 19:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\eclipse
[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\ISIS Drivers
[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\eclipse
[2014/01/11 18:48:53 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\ISIS Drivers
[2014/08/10 18:17:25 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\30765
[2013/11/25 20:18:33 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\5779
[2012/09/23 20:58:07 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Canneverbe Limited
[2013/11/30 11:41:11 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Dropbox
[2014/02/14 20:42:42 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\DVDFab9
[2014/06/06 23:38:47 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\eclipse
[2014/02/09 00:56:35 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Eye-Fi
[2012/09/10 18:52:26 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Imagenomic
[2014/01/11 18:54:18 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\ISIS Drivers
[2012/09/03 21:16:26 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\JAM Software
[2013/11/03 17:50:27 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Netscape
[2012/09/09 20:45:12 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Notepad++
[2013/06/19 20:18:16 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Oracle
[2013/11/03 17:49:52 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Photodex
[2013/11/28 15:07:27 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\redsn0w
[2013/07/31 19:57:58 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Serif
[2014/08/10 11:05:07 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\TeamViewer
[2014/01/19 15:46:53 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\TechSmith
[2012/11/19 21:34:57 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\TightVNC
[2014/02/09 00:56:55 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\Titanium
[2014/03/26 08:44:39 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\uTorrent
[2012/08/24 20:29:58 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\White Peak Software
[2014/06/19 19:56:04 | 000,000,000 | ---D | M] -- C:\Users\MrZ\AppData\Roaming\XBMC

========== Purity Check ==========

========== Custom Scans ==========

========== Base Services ==========
SRV:64bit: - [2009/07/13 18:40:01 | 000,072,192 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\aelupsvc.dll -- (AeLookupSvc)
SRV:64bit: - [2013/02/26 22:47:10 | 000,070,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appinfo.dll -- (Appinfo)
SRV:64bit: - [2009/07/13 18:38:55 | 000,079,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\alg.exe -- (ALG)
SRV:64bit: - [2010/11/20 20:23:51 | 000,849,920 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\qmgr.dll -- (BITS)
SRV:64bit: - [2010/11/20 20:24:00 | 000,705,024 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\BFE.DLL -- (BFE)
SRV:64bit: - [2014/04/11 19:19:05 | 000,031,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\lsass.exe -- (KeyIso)
SRV:64bit: - [2009/07/13 18:40:50 | 000,402,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\es.dll -- (EventSystem)
SRV - [2009/07/13 18:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\es.dll -- (EventSystem)
SRV:64bit: - [2012/07/04 15:13:27 | 000,136,704 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\browser.dll -- (Browser)
SRV:64bit: - [2013/07/08 22:46:20 | 000,184,320 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cryptsvc.dll -- (CryptSvc)
SRV - [2013/07/08 21:46:31 | 000,140,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\cryptsvc.dll -- (CryptSvc)
SRV:64bit: - [2010/11/20 20:24:01 | 000,512,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\rpcss.dll -- (DcomLaunch)
SRV:64bit: - [2010/11/20 20:24:00 | 000,317,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dhcpcore.dll -- (Dhcp)
SRV - [2010/11/20 20:24:09 | 000,254,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\dhcpcore.dll -- (Dhcp)
SRV:64bit: - [2011/03/02 23:24:16 | 000,183,296 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\dnsrslvr.dll -- (Dnscache)
SRV:64bit: - [2009/07/13 18:40:35 | 000,111,104 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\eapsvc.dll -- (EapHost)
SRV:64bit: - [2009/07/13 18:41:00 | 000,038,912 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\hidserv.dll -- (hidserv)
SRV - [2009/07/13 18:15:24 | 000,049,152 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\hidserv.dll -- (hidserv)
SRV:64bit: - [2009/07/13 18:41:10 | 000,359,424 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\SysNative\ipnathlp.dll -- (SharedAccess)
SRV:64bit: - [2010/11/20 20:23:48 | 000,501,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\IPSECSVC.DLL -- (PolicyAgent)
No service found with a name of MsMpSvc
No service found with a name of NisSrv
SRV:64bit: - [2009/07/13 18:41:54 | 000,524,288 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\swprv.dll -- (swprv)
SRV:64bit: - [2009/07/13 18:41:26 | 000,067,584 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\mmcss.dll -- (MMCSS)
SRV:64bit: - [2009/07/13 18:41:52 | 000,360,448 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\netman.dll -- (Netman)
SRV:64bit: - [2009/07/13 18:41:52 | 000,459,776 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\netprofm.dll -- (netprofm)
SRV - [2009/07/13 18:16:03 | 000,360,448 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\netprofm.dll -- (netprofm)
SRV:64bit: - [2012/10/03 10:44:21 | 000,303,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\nlasvc.dll -- (NlaSvc)
SRV:64bit: - [2009/07/13 18:41:53 | 000,025,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\nsisvc.dll -- (nsi)
SRV:64bit: - [2011/05/24 04:42:55 | 000,404,480 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\umpnpmgr.dll -- (PlugPlay)
SRV:64bit: - [2012/02/10 23:36:02 | 000,559,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\spoolsv.exe -- (Spooler)
SRV:64bit: - [2014/04/11 19:19:05 | 000,031,232 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\lsass.exe -- (ProtectedStorage)
No service found with a name of EMDMgmt
SRV:64bit: - [2009/07/13 18:41:53 | 000,099,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rasauto.dll -- (RasAuto)
SRV:64bit: - [2010/11/20 20:24:17 | 000,344,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\rasmans.dll -- (RasMan)
SRV:64bit: - [2010/11/20 20:24:01 | 000,512,000 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\rpcss.dll -- (RpcSs)
SRV:64bit: - [2010/11/20 20:24:16 | 000,030,720 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\seclogon.dll -- (seclogon)
SRV:64bit: - [2014/04/11 19:19:05 | 000,031,232 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\lsass.exe -- (SamSs)
SRV:64bit: - [2009/07/13 18:41:58 | 000,097,280 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wscsvc.dll -- (wscsvc)
SRV:64bit: - [2010/11/20 20:23:48 | 000,236,032 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\srvsvc.dll -- (LanmanServer)
SRV:64bit: - [2010/11/20 20:23:55 | 000,370,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\shsvcs.dll -- (ShellHWDetection)
SRV - [2010/11/20 20:24:03 | 000,328,192 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\shsvcs.dll -- (ShellHWDetection)
No service found with a name of slsvc
SRV:64bit: - [2010/11/20 20:24:16 | 001,110,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\schedsvc.dll -- (Schedule)
SRV:64bit: - [2010/11/20 20:24:32 | 000,316,928 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\tapisrv.dll -- (TapiSrv)
SRV - [2010/11/20 20:24:00 | 000,242,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\tapisrv.dll -- (TapiSrv)
SRV:64bit: - [2009/07/13 18:41:55 | 000,044,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\themeservice.dll -- (Themes)
SRV:64bit: - [2012/04/30 22:40:20 | 000,209,920 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\profsvc.dll -- (ProfSvc)
SRV:64bit: - [2010/11/20 20:23:55 | 001,600,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\VSSVC.exe -- (VSS)
SRV:64bit: - [2010/11/20 20:24:32 | 000,679,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\audiosrv.dll -- (AudioSrv)
SRV:64bit: - [2010/11/20 20:24:32 | 000,679,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\audiosrv.dll -- (AudioEndpointBuilder)
SRV:64bit: - [2010/11/20 20:25:06 | 000,170,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\sdrsvc.dll -- (SDRSVC)
SRV:64bit: - [2013/05/26 22:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2010/11/20 20:23:55 | 001,646,080 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wevtsvc.dll -- (eventlog)
SRV:64bit: - [2010/11/20 20:24:28 | 000,828,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\MPSSVC.dll -- (MpsSvc)
SRV:64bit: - [2010/11/20 20:24:48 | 000,580,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wiaservc.dll -- (stisvc)
SRV:64bit: - [2010/11/20 20:24:15 | 000,128,000 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\msiexec.exe -- (msiserver)
SRV - [2010/11/20 20:24:28 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWow64\msiexec.exe -- (msiserver)
SRV:64bit: - [2009/07/13 18:41:56 | 000,242,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wbem\WMIsvc.dll -- (Winmgmt)
SRV:64bit: - [2012/06/02 15:19:43 | 002,428,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wuaueng.dll -- (wuauserv)
SRV:64bit: - [2010/11/20 20:24:09 | 000,252,416 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\dot3svc.dll -- (dot3svc)
SRV:64bit: - [2009/07/13 18:41:56 | 000,886,784 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wlansvc.dll -- (Wlansvc)
SRV:64bit: - [2010/11/20 20:24:32 | 000,118,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wkssvc.dll -- (LanmanWorkstation)

< MD5 for: RPCSS.DLL >
[2010/11/20 20:24:01 | 000,512,000 | ---- | M] (Microsoft Corporation) MD5=5C627D1B1138676C0A7AB2C2C190D123 -- C:\Windows\SysNative\rpcss.dll
[2010/11/20 20:24:01 | 000,512,000 | ---- | M] (Microsoft Corporation) MD5=5C627D1B1138676C0A7AB2C2C190D123 -- C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:A9967A61
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:F4C624DE

< End of report >

OTL Extras logfile created on: 8/13/2014 8:59:56 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\MrZ\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17207)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.50 Gb Total Physical Memory | 4.54 Gb Available Physical Memory | 60.55% Memory free
15.00 Gb Paging File | 11.50 Gb Available in Paging File | 76.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 223.22 Gb Total Space | 60.11 Gb Free Space | 26.93% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 870.81 Gb Free Space | 93.48% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 29.86 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
Drive F: | 27.84 Gb Total Space | 27.30 Gb Free Space | 98.05% Space Free | Partition Type: FAT32
Drive J: | 100.97 Mb Total Space | 70.54 Mb Free Space | 69.86% Space Free | Partition Type: NTFS
Drive P: | 1862.92 Gb Total Space | 569.71 Gb Free Space | 30.58% Space Free | Partition Type: NTFS
Drive Z: | 100.00 Gb Total Space | 60.11 Gb Free Space | 60.11% Space Free | Partition Type: MFilesFS

Computer Name: WIN7SSD | User Name: MrZ | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
.js[@ = JSFile] -- Reg Error: Value error. File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.js [@ = JSFile] -- Reg Error: Value error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [open] -- Reg Error: Value error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
jsfile [open] -- Reg Error: Value error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0222F7A3-5683-4EB4-B21C-166CF5585407}" = rport=138 | protocol=17 | dir=out | app=system |
"{03EC3CE2-51B9-45B2-A4DF-A62EDBD28138}" = lport=9083 | protocol=6 | dir=in | name=remote potato - 9083 inbound |
"{084F0E30-BA53-4052-BC60-BFDA68B7E565}" = rport=445 | protocol=6 | dir=out | app=system |
"{0E0E94BB-AF0E-43E0-AFF2-8668B7D21584}" = lport=9082 | protocol=6 | dir=in | name=remote potato - 9082 inbound |
"{2BCBDCBE-F242-4044-84BA-126456AFD7D0}" = lport=139 | protocol=6 | dir=in | app=system |
"{3B1E7657-5255-42E7-A3D9-DDCF5961E6E6}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\outlook.exe |
"{44A650D4-7675-4B83-97E7-904DC20DD487}" = lport=137 | protocol=17 | dir=in | app=system |
"{48A52161-0F56-4178-AD0F-E94CC22B4590}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{544CC461-6F63-438F-ABA3-1B56E0C7A8E8}" = lport=9081 | protocol=6 | dir=in | name=remote potato - 9081 inbound |
"{54FF6518-DD58-441A-AA9D-4D4DA9D72D43}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{56B980F9-942A-4402-A16D-334698AD070D}" = lport=9080 | protocol=6 | dir=in | name=remote potato - 9080 inbound |
"{58C539EC-D457-4E2B-8CC8-C9A530119105}" = lport=138 | protocol=17 | dir=in | app=system |
"{59017C71-38C2-4D85-94A6-CE466C63B339}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\proc.exe |
"{5F30FF4F-092C-4E01-AF52-E460941E7A80}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\pwdg.exe |
"{67FEA594-42F0-4C21-AAD6-FB133B8B1BB5}" = rport=137 | protocol=17 | dir=out | app=system |
"{720DD41E-BAE6-45C5-8ABC-3DCD398453A0}" = lport=8317 | protocol=6 | dir=in | name=techsmith camtasia studio |
"{7248419C-A5CD-4B9F-9354-8BBAE881CDCC}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{7E00A694-2FCD-4D4C-95AD-9E2D2D975491}" = lport=9083 | protocol=6 | dir=out | name=remote potato - 9083 outbound |
"{8868E248-1703-4FFC-939C-E4A4FD7F7105}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\proc.exe |
"{AEBF9973-7B65-4148-BC77-6C64B97CDACB}" = lport=445 | protocol=6 | dir=in | app=system |
"{CFF35435-A652-4720-8BDB-C1B8C867CB2E}" = lport=9081 | protocol=6 | dir=out | name=remote potato - 9081 outbound |
"{DE0C3468-6D77-414E-B377-A57A7F2ACF5C}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{E1601385-1421-47F0-87E0-F327B86AE778}" = lport=9082 | protocol=6 | dir=out | name=remote potato - 9082 outbound |
"{EC6D74EA-2C80-4529-95D7-F4138D187C2D}" = rport=139 | protocol=6 | dir=out | app=system |
"{EEA56AE0-17F9-47F3-828F-4D68468687D3}" = lport=3128 | protocol=6 | dir=in | app=c:\program files (x86)\bench\proxy\pwdg.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{13FFD98D-2D58-4626-97A0-593FD6F07F38}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"{244327EF-6AD9-4E98-8611-1234D0B786EB}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer.exe |
"{28B056F5-0222-4B16-9301-B37FB9B6F675}" = protocol=58 | dir=out | [email protected],-28546 |
"{28B598B6-CCDF-4937-841F-4E50324102D2}" = dir=in | app=c:\program files (x86)\mediamall\settingsmanager.exe |
"{29736CF3-A273-4B62-9AE8-E0A39BAA8C04}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"{37C95DE0-9E08-41F9-9AE7-4C094800DAC7}" = dir=in | app=c:\users\mrz\appdata\local\microsoft\skydrive\skydrive.exe |
"{3C15D36E-ED4E-4091-9034-316041AD53E2}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{3D47C613-3B88-49EC-BFB1-87650F43EC79}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer.exe |
"{48403891-0DC7-40FA-82AD-99CE2AD7AC3C}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{491C4BD4-BAB2-4A9E-90B4-72D991AECB1B}" = dir=in | app=c:\program files (x86)\mediamall\mediamallserver.exe |
"{5A529716-1317-41E8-90E6-B5CC7B38870C}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{643145AA-538D-4564-B34B-ECEC6E001BD4}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{75DC6360-108D-464F-AA29-766E55426748}" = protocol=1 | dir=out | [email protected],-28544 |
"{768E87CA-3A87-4293-9077-A13798ECE7BC}" = protocol=17 | dir=in | app=c:\users\mrz\appdata\roaming\utorrent\utorrent.exe |
"{7B6B2FF4-6723-4C96-97F8-89BD28815386}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{7F9096F7-EB12-45BA-A3B5-5FBB8CDCDE9D}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{80B2A321-845F-4D33-8EB3-D6C1E3C54857}" = protocol=1 | dir=in | [email protected],-28543 |
"{81B84C98-7713-472D-ACF2-F5DD5509442C}" = dir=in | app=c:\program files (x86)\mediamall\playmark.exe |
"{859B7060-38C1-4578-ACF0-6FF79952FDA4}" = protocol=17 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer_service.exe |
"{86BD1267-9188-42CE-9ABF-61291307630D}" = protocol=6 | dir=in | app=c:\program files (x86)\teamviewer\version9\teamviewer_service.exe |
"{8EC675EE-431A-4C90-937B-3CDDE55EACB8}" = protocol=58 | dir=out | [email protected],-503 |
"{8F0C681A-B825-4002-8F90-46F5E8B1F3CE}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"{911A3E7E-53F0-4B3B-BE7C-8FE401C2E47B}" = protocol=58 | dir=in | app=system |
"{9D910501-3CFD-48B9-9E58-C2CCD36865B2}" = protocol=58 | dir=in | [email protected],-28545 |
"{A12A3C39-19E1-40B2-A789-709B90E04796}" = protocol=6 | dir=in | app=c:\users\mrz\appdata\roaming\utorrent\utorrent.exe |
"{AA7DAFB0-EFFF-4ACC-B84B-D4F0D7C25D85}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{D52174E6-6911-4DE4-9926-00A2D09A7C68}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{E766AB89-6632-4995-B225-15DFDED8C901}" = dir=in | app=c:\program files (x86)\mediamall\playlater.exe |
"{EEB94B36-F51C-4CA5-AE7E-6A8ADA812C30}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office15\lync.exe |
"{F372DDEC-993C-4988-B9CB-F18C1C823BB3}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office15\ucmapi.exe |
"TCP Query User{8A4E8C65-54AA-48CF-A296-3593EDC7A574}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |
"UDP Query User{BEEC2C70-E5F6-4197-A3BA-C541BD661B34}C:\program files (x86)\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files (x86)\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1374CC63-B520-4f3f-98E8-E9020BF01CFF}" = Windows XP Mode
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
"{23D2AFC7-C01E-4413-9D9A-0BABF52569BF}" = Microsoft Mouse and Keyboard Center
"{31E8F586-4EF7-4500-844D-BA8756474FF1}" = Windows Automated Installation Kit
"{49D665A2-4C2A-476E-9AB8-FCC425F526FC}" = Microsoft SQL Server 2012 Native Client
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{504022CD-6A58-42D5-ACC9-966F695AAD93}_is1" = PDF-XChange 2012
"{54E6C675-3AD4-42E4-957F-31666ABF1603}" = Adobe Photoshop Lightroom 5.2 64-bit
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{619A89DE-5F01-11E2-85E8-000C2982512D}" = Paragon Hard Disk Manager™ 14 Premium Edition
"{6C4958DF-4B1A-4290-947B-5F6AFDC74398}" = AirParrot
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{787136D2-F0F8-4625-AA3F-72D7795AC842}" = Apple Mobile Device Support
"{7DEBE4EB-6B40-3766-BB35-5CBBC385DA37}" = Microsoft .NET Framework 4.5.1
"{81E20D41-C277-4526-934D-F2380AF91B78}" = iCloud
"{8424B163-D1E0-48B7-88A2-C7A61767B3D7}" = Microsoft SQL Server Compact 4.0 x64 ENU
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90140000-00D1-0409-1000-0000000FF1CE}" = Microsoft Access database engine 2010 (English)
"{90150000-002A-0000-1000-0000000FF1CE}" = Microsoft Office 64-bit Components 2013
"{90150000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2013
"{90150000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{97E3E5AA-72FA-45D3-98FF-4C5E321D8555}" = M-Files 9.0.3372.41
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B5121457-0126-4E62-BCBF-6DC7C73D9E4A}" = Oracle VM VirtualBox 4.3.12
"{B71CCF77-38A2-4805-9759-A6F7D2C52F3A}" = Adobe Photoshop Lightroom 4.2 64-bit
"{B8BA155B-1E75-405F-9CB4-8A99615D09DC}" = iTunes
"{C79A7EAB-9D6F-4072-8A6D-F8F54957CD93}" = Microsoft SQL Server 2008 Native Client
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{D6AB1F5B-FED6-49A9-9747-327BD28FB3C7}" = COMODO Internet Security
"{E2B8249D-895C-4685-8C83-00F3B1A13028}" = Microsoft Web Platform Installer 4.0
"{E851486F-1FE2-44F0-85ED-F969088A68EE}" = PHP Manager 1.2 for IIS 7
"CCleaner" = CCleaner
"Defraggler" = Defraggler
"HitmanPro37" = HitmanPro 3.7
"ImagenomicPortraitureLightroomPlugin" = Imagenomic Portraiture 2.2 Lightroom Plug-in (build 2207)
"Microsoft Mouse and Keyboard Center" = Microsoft Mouse and Keyboard Center

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{111EE7DF-FC45-40C7-98A7-753AC46B12FB}" = QuickTime 7
"{185F9795-9663-4F13-9EF9-307A282ADB5A}" = ph
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{262425E7-A5A0-5630-8FB2-FE6E6A650872}" = Boot Media Builder for Paragon Hard Disk Manager™ 12 Server
"{26A24AE4-039D-4CA4-87B4-2F03217067FF}" = Java 7 Update 67
"{272C8DEE-F54F-406C-9AA6-B4DE2985A47C}" = Flash Drive Tester v1.14
"{2A075BB4-E976-4278-BF3F-E5C6945D84C0}" = bl
"{2EEEC858-21F8-419B-8FE2-820621BFFCD7}" = GetDataBack for FAT
"{489687BC-3B2A-401F-920B-0B1E97DDB287}" = Eclipse OCR Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}" = GetDataBack for NTFS
"{5ABDB125-7725-40B6-A1E3-B7D8BFFAA303}" = PlayLater
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6EA6D4E3-134D-4A11-AF2A-7986F61BB2F6}" = ImageRescue3
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7764F7B0-7225-4145-82B6-2AB4540D33A6}" = Eye-Fi Center 3.4
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{7B6D00DA-AE9D-44B3-A91B-4695AA803B3F}" = Serif Premium Image Collection 6
"{7D427BD1-1C88-4007-BBFB-C2DD2ED48C63}" = Serif WebPlus X5
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90150000-0015-0409-0000-0000000FF1CE}" = Microsoft Access MUI (English) 2013
"{90150000-0016-0409-0000-0000000FF1CE}" = Microsoft Excel MUI (English) 2013
"{90150000-0018-0409-0000-0000000FF1CE}" = Microsoft PowerPoint MUI (English) 2013
"{90150000-0019-0409-0000-0000000FF1CE}" = Microsoft Publisher MUI (English) 2013
"{90150000-001A-0409-0000-0000000FF1CE}" = Microsoft Outlook MUI (English) 2013
"{90150000-001B-0409-0000-0000000FF1CE}" = Microsoft Word MUI (English) 2013
"{90150000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - English
"{90150000-001F-040C-0000-0000000FF1CE}" = Outils de vérification linguistique 2013 de Microsoft Office - Français
"{90150000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Español
"{90150000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2013
"{90150000-0044-0409-0000-0000000FF1CE}" = Microsoft InfoPath MUI (English) 2013
"{90150000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2013
"{90150000-0090-0409-0000-0000000FF1CE}" = Microsoft DCF MUI (English) 2013
"{90150000-00A1-0409-0000-0000000FF1CE}" = Microsoft OneNote MUI (English) 2013
"{90150000-00BA-0409-0000-0000000FF1CE}" = Microsoft Groove MUI (English) 2013
"{90150000-00E1-0409-0000-0000000FF1CE}" = Microsoft Office OSM MUI (English) 2013
"{90150000-00E2-0409-0000-0000000FF1CE}" = Microsoft Office OSM UX MUI (English) 2013
"{90150000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2013
"{90150000-0117-0409-0000-0000000FF1CE}" = Microsoft Access Setup Metadata MUI (English) 2013
"{90150000-012B-0409-0000-0000000FF1CE}" = Microsoft Lync MUI (English) 2013
"{91150000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2013
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{9489257A-CED5-45E7-8D16-7B20A2E48744}" = PlayOn
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9B65F9A3-9D24-452A-B6EF-1457D65E4259}" = ScorpionSaver
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A73D4BEE-2BBE-4285-BF6C-4B8C7C001630}" = Zend Studio 9.0.1
"{A7727F03-5311-4A12-9A63-2ACD20BA0497}" = Camtasia Studio 8
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.5)
"{B6D38690-755E-4F40-A35A-23F8BC2B86AC}" = Microsoft_VC90_MFCLOC_x86
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C6FEBDB4-DC98-4D10-A659-B3EB49DC2FFF}" = Eclipse ISIS Scanning Support
"{E2B31B67-9795-4EF9-9AC6-B683E7B11BE6}_is1" = FotoFusion v5
"{EFBE6DD5-B224-96E5-72B9-68D328CB12A6}" = Adobe Widget Browser
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F17C3DC2-2ACA-4B0E-BDBF-ACE61B14E7CD}" = Citrix Online Launcher
"{F1C324A1-5562-4956-BF70-253825D53F87}" = Eclipse Imaging Support
"{FA653F5B-483A-4E92-BF75-BB3BBF1D550D}" = LogMeIn
"{FE23D063-934D-4829-A0D8-00634CE79B4A}" = Adobe AIR
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"7-Zip" = 7-Zip 9.22beta
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 14 ActiveX
"CleanUp!" = CleanUp!
"com.adobe.WidgetBrowser" = Adobe Widget Browser
"DVDFab 9.0.7.2 Final9.0.7.2" = DVDFab 9.0.7.2 Final
"Google Chrome" = Google Chrome
"HDClone.Professional.4.2.2.1033-{C5DE40C1-8962-4998-9A4C-E2B1130723F3}" = HDClone 4.2 Professional Edition
"InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}" = Renesas Electronics USB 3.0 Host Controller Driver
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.2.1012
"NirSoft ProduKey" = NirSoft ProduKey
"Notepad++" = Notepad++
"Office15.PROPLUSR" = Microsoft Office Professional Plus 2013
"Photodex Presenter" = Photodex Presenter
"ProShow Gold" = ProShow Gold
"ProShow Plugins for Lightroom" = ProShow Plugins for Lightroom
"RealFlight7Pro" = RealFlight 7 R/C Simulator
"SMTP Diagnostics_is1" = SMTP Diagnostics 1.8.0.74
"Stellar Phoenix Outlook PST Repair_is1" = Stellar Phoenix Outlook PST Repair
"TeamViewer 9" = TeamViewer 9
"TreeSize Free_is1" = TreeSize Free V2.7
"VirtualCloneDrive" = VirtualCloneDrive
"XXConsole" = XXConsole: Super Console Generator ver 0.96

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2674156391-257221273-1192923396-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"fc3ac04dc8eedef7" = Web Launcher
"OneDriveSetup.exe" = Microsoft OneDrive
"uTorrent" = µTorrent
"XBMC" = XBMC

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 8/11/2014 3:00:02 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:28:07 PM | Computer Name = Win7ssd | Source = WinMgmt | ID = 10
Description =

Error - 8/12/2014 10:32:40 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:32:41 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:32:41 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/12/2014 10:33:00 PM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 1:03:58 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 3:00:00 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 6:47:35 AM | Computer Name = Win7ssd | Source = System Restore | ID = 8193
Description =

Error - 8/13/2014 11:42:51 PM | Computer Name = Win7ssd | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 8/13/2014 8:38:41 AM | Computer Name = Win7ssd | Source = DCOM | ID = 10010
Description =

Error - 8/13/2014 11:42:39 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:46:04 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:47:56 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:52:26 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:52:59 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:58:02 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/13/2014 11:58:47 PM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/14/2014 12:03:19 AM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

Error - 8/14/2014 12:05:09 AM | Computer Name = Win7ssd | Source = Schannel | ID = 36888
Description = The following fatal alert was generated: 10. The internal error state
is 10.

< End of report >

#5
Biscuithd

Posted 14 August 2014 - 07:41 AM

Trusted Helper

Malware Removal
2,573 posts

You did the scans just fine :thumbsup:

So, a couple of things. uTorrent and Hitman Pro. I am going to place my P2P warning below and please read it. It pertains to your uTorrent software and the likely source of your issues.

Hitman Pro is utter dross! Not only does it do very little on the positive side, it has been causing crashes and unbootable systems. Please uninstall both nTorrent and Hitman before you run the other tools.

I've spotted signs of a P2P program installed on your machine.

Be warned:

P2P programs, as they are legal itself, are often used to obtain some illegal downloads. Currently it's one of the best ways to get infected: unsecured ports, downloaded cracks... There have been some extreme cases in which passwords, private or financial data was exposed to file sharing network because of bad P2P configuration.

I'm rather sure that if you'll continue using P2P, you'll be often visiting our Malware Removal Forum.
I strongly recommend full uninstallation of any P2P apps (if so, please do it from the Control Panel > Add/Remove Programs),

And, while you are in the Control Panel > Add/Remove Programs...uninstall HitMan Pro too please.

Fix with OTL

Please re-run OTL with this removal script included.

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Right-click on icon and select Run as Administrator to start the tool.
Under the Custom Scans/Fixes bar in the box paste in the following:

:Commands
[CREATERESTOREPOINT] 
 
:OTL
PRC - File not found --

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKU\.DEFAULT\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC

IE - HKU\S-1-5-18\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC

IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE11SR

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found

FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found

[2012/09/27 09:59:30 | 000,000,000 | ---D | M] (OneClickDownloader) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\[email protected]

[2013/12/01 11:43:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\extensions

[2014/08/02 16:01:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions

[2014/06/19 19:26:34 | 000,000,000 | ---D | M] (No name found) -- C:\Users\MrZ\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\extensions

CHR - plugin: Conduit Radio Plugin (Enabled) = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.11.21.5_0\plugins/np-cwmp.dll

CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_0\

CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_1\

CHR - Extension: Atomic Savings = C:\Users\MrZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac\1.0_2\

O2:64bit: - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - No CLSID value found.

O2:64bit: - BHO: (no name) - {56bc31de-97ab-4563-8599-ad5d4e9800f9} - No CLSID value found.

O3:64bit: - HKLM\..\Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.

O3 - HKLM\..\Toolbar: (no name) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.

O3 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.

O3 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.

O4 - HKU\.DEFAULT..\Run: [RemotePotatoIRHelper] C:\Program Files (x86)\FatAttitude\Remote Potato\RPKeySender.exe File not found

O4 - HKU\S-1-5-18..\Run: [RemotePotatoIRHelper] C:\Program Files (x86)\FatAttitude\Remote Potato\RPKeySender.exe File not found

O4 - HKU\S-1-5-21-2674156391-257221273-1192923396-1000..\Run: [AdobeBridge]  File not found

O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found

O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18:64bit: - Protocol\Handler\osf - No CLSID value found

O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
 
:Commands


[resethosts]
[emptytemp]
[reboot]

Push Run Fix and wait patiently.
If asked to reboot, please allow it to.
A notepad window with a logfile will open after this run. It will be also saved in _OTL\MovedFiles directory on your main drive as (date)_(time).log.

Please include the content of this logfile in your next reply and let me know if we've eliminated the Atomic Ads. If not, I have other ideas. If we have, there is additional clean up to do, so please come back

#6
bhzendner

Posted 15 August 2014 - 08:50 PM

Member

Topic Starter
Member
226 posts

The computer froze, I am running it again to see it will go thru the second time.

#7
Biscuithd

Posted 16 August 2014 - 06:16 AM

Trusted Helper

Malware Removal
2,573 posts

The freezing is disconcerting. Honestly, right now I don't see anything in the OTL scan that would account for locking up the machine. Yes, there are some "minor" spyware/adware issues that require tidying up, but nothing significant. It is possible that there is something more insidious lurking, but honestly I'm leaning more toward a Hardware issue.

Before I turn you over to our Hardware folks, let's see if we can't clean what is there. If you don't mind trying the Fix again, that would be great. :thumbsup:

#8
bhzendner

Posted 16 August 2014 - 11:27 AM

Member

Topic Starter
Member
226 posts

Ok ran it again. This time machine is still working but the app does not appear to be progressing, it says "Not responding" at the top and the bottom "Processing PRC - File not found --..." Maybe I entered something wrong?

#9
Biscuithd

Posted 16 August 2014 - 01:53 PM

Trusted Helper

Malware Removal
2,573 posts

Ok, let's try a different attack plan

Boot to Safe Mode. If you don't know how to do that, here are instructions.

Boot into Safe Mode:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap F8 continually.
3) If you are asked what mode to bootup in press Esc to boot in the default settings
4) Instead of Windows loading as normal, a menu should appear
5) Select the option to run Windows in Safe Mode.

Scan with aswMBR

Please download aswMBR by Avast! & Gmer and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

Right-click on the icon and select Run as Administrator to start the tool.
Allow virtualisation if offered.
If you are prompted to download the latest anti-virus definitions from avast!, click Yes.
Click the AV Scan: drop down box and select C:\.
Select scan.
Upon completion, you will see Scan finished successfully. Click Save log.

Do NOT click Fix or FixMBR!
A file (MBR.dat) will be created on your desktop. Do NOT click or delete it!

Copy the contents of the logfile ans paste in into your next reply.
Do not forget to re-enable your previously switched-off protection software!

Scan with Gmer

This type of scan often produces false positives. At any point do not take any action for any suspicious entries you may see there. Instead post the log to be analyzed.

Please download GMER by Gmer and save the file to your desktop.
It will come as a randomly named file (like a6ge38b4.exe) - that's absolutely normal.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

Right-click on randomly named icon and select Run as Administrator to start the tool.
It is very important that you do not use your computer while Gmer is running!
Gmer will open to the Rootkit/Malware tab and perform an automatic quick scan.
If you receive a warning about rootkit activity and are asked to fully scan your system click NO!

When the pre-scan is completed, please do the following:

Please check in the Quick scan box.
Please uncheck the IAT/EAT and Show All.
Click Scan.
If you see a rootkit warning window click OK.
When the scan is finished, Save the results to your desktop as gmer.log.

Please include the content of this file in your next reply.
Don't forget to re-enable previously switched-off protection software!

If you encounter any problems, try running GMER in Safe Mode.
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning.

#10
bhzendner

Posted 17 August 2014 - 10:09 PM

Member

Topic Starter
Member
226 posts

aswMBR version 1.0.1.2041 Copyright© 2014 AVAST Software
Run date: 2014-08-17 20:05:06
-----------------------------
20:05:06.877    OS Version: Windows x64 6.1.7601 Service Pack 1
20:05:06.877    Number of processors: 6 586 0xA00
20:05:06.878    ComputerName: WIN7SSD UserName: MrZ
20:05:13.094    Initialize success
20:05:13.126    VM: initialized successfully
20:05:13.133    VM: Amd CPU supported
20:05:17.248    VM: supported disk I/O ataport.SYS
20:09:05.584    AVAST engine defs: 14081701
20:09:10.021    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:09:10.025    Disk 0 Vendor: Corsair_Force_3_SSD 5.02 Size: 228936MB BusType: 3
20:09:10.031    Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-8
20:09:10.035    Disk 1 Vendor: WDC_WD1001FALS-00E8B0 05.00K05 Size: 953869MB BusType: 3
20:09:10.041    Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP2T0L0-2
20:09:10.047    Disk 2 Vendor: WDC_WD2002FAEX-007BA0 05.01D05 Size: 1907729MB BusType: 3
20:09:10.058    Disk 0 MBR read successfully
20:09:10.060    Disk 0 MBR scan
20:09:10.065    Disk 0 Windows 7 default MBR code
20:09:10.068    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          350 MB offset 2048
20:09:10.072    Disk 0 default boot code
20:09:10.079    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       228577 MB offset 718848
20:09:10.092    Disk 0 scanning C:\Windows\system32\drivers
20:09:13.708    Service scanning
20:09:25.581    Modules scanning
20:09:25.593    Disk 0 trace - called modules:
20:09:25.605    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
20:09:25.614    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006c81060]
20:09:25.623    3 CLASSPNP.SYS[fffff8800194143f] -> nt!IofCallDriver -> [0xfffffa800664d670]
20:09:25.632    5 ACPI.sys[fffff88000f8f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006a5f060]
20:09:25.979    AVAST engine scan C:\Windows
20:09:27.058    AVAST engine scan C:\Windows\system32
20:13:39.315    AVAST engine scan C:\Windows\system32\drivers
20:13:45.314    AVAST engine scan C:\Users\MrZ
20:19:21.806    AVAST engine scan C:\ProgramData
20:21:54.571    Scan finished successfully
21:09:10.076    Disk 0 MBR has been saved successfully to "C:\Users\MrZ\Desktop\MBR.dat"
21:09:10.079    The log file has been saved successfully to "C:\Users\MrZ\Desktop\aswMBR.txt"

#11
Biscuithd

Posted 18 August 2014 - 06:29 AM

Trusted Helper

Malware Removal
2,573 posts

Have you had a chance to run GMER?

#12
bhzendner

Posted 18 August 2014 - 06:39 AM

Member

Topic Starter
Member
226 posts

I am having trouble sending it, it is to large? Suggestions?

#13
Biscuithd

Posted 18 August 2014 - 06:41 AM

Trusted Helper

Malware Removal
2,573 posts

Try dividing it into pieces and putting each piece in a separate post. I'll be able to read it regardless.

#14
bhzendner

Posted 18 August 2014 - 06:42 AM

Member

Topic Starter
Member
226 posts

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-08-18 05:32:09
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Corsair_Force_3_SSD rev.5.02 223.57GB
Running: s5fzlukh.exe; Driver: C:\Users\MrZ\AppData\Local\Temp\kwrdqpoc.sys

---- Kernel code sections - GMER 2.1 ----

INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031ef000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031ef02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...]

---- User code sections - GMER 2.1 ----

.text     C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                   00000000776f1360 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                 00000000776f1560 8 bytes JMP 000000016fff0110
.text     C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                00000000776f1b00 8 bytes JMP 000000016fff0148
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                           00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                             00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                             00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                           00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                      00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                          00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                             00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                  00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                      00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                      000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                  000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                      000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                                               0000000077486ef0 8 bytes JMP 000000016fff06f8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                                 0000000077488184 7 bytes JMP 000000016fff0880
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SetParent                                                                                             0000000077488530 8 bytes JMP 000000016fff0730
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!PostMessageA                                                                                          000000007748a404 5 bytes JMP 000000016fff0308
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!EnableWindow                                                                                          000000007748aaa0 9 bytes JMP 000000016fff08f0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!MoveWindow                                                                                            000000007748aad0 8 bytes JMP 000000016fff0768
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                                      000000007748c720 5 bytes JMP 000000016fff06c0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                                        000000007748cd50 8 bytes JMP 000000016fff0848
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                                    000000007748d2b0 5 bytes JMP 000000016fff0378
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendMessageA                                                                                          000000007748d338 5 bytes JMP 000000016fff03e8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                                    000000007748dc40 9 bytes JMP 000000016fff0570
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                                 000000007748f510 7 bytes JMP 000000016fff08b8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                     000000007748f874 9 bytes JMP 000000016fff0298
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                                   000000007748fac0 9 bytes JMP 000000016fff0490
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                                    0000000077490b74 10 bytes JMP 000000016fff03b0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                                       0000000077494d4c 5 bytes JMP 000000016fff02d0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!GetKeyState                                                                                           0000000077495010 5 bytes JMP 000000016fff0688
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                                  0000000077495438 7 bytes JMP 000000016fff0500
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendMessageW                                                                                          0000000077496b50 5 bytes JMP 000000016fff0420
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!PostMessageW                                                                                          00000000774976e4 7 bytes JMP 000000016fff0340
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                                   000000007749dd90 5 bytes JMP 000000016fff05e0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!GetClipboardData                                                                                      000000007749e874 5 bytes JMP 000000016fff0810
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                                    000000007749f780 8 bytes JMP 000000016fff07a0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                                    00000000774a28e4 12 bytes JMP 000000016fff0538
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!mouse_event                                                                                           00000000774a3894 7 bytes JMP 000000016fff0228
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                                      00000000774a8a10 8 bytes JMP 000000016fff0650
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                                   00000000774a8be0 12 bytes JMP 000000016fff0458
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                                     00000000774a8c20 12 bytes JMP 000000016fff0260
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendInput                                                                                             00000000774a8cd0 8 bytes JMP 000000016fff0618
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!BlockInput                                                                                            00000000774aad60 8 bytes JMP 000000016fff07d8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                                         00000000774d14e0 5 bytes JMP 000000016fff0928
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!keybd_event                                                                                           00000000774f45a4 7 bytes JMP 000000016fff01f0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                                   00000000774fcc08 5 bytes JMP 000000016fff05a8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                                  00000000774fdf18 7 bytes JMP 000000016fff04c8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                               000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                 000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                              000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                              000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!GetPixel                                                                                               000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                             000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\wininit.exe[604] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                 000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort                                                                                   00000000776f1360 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx                                                                                 00000000776f1560 8 bytes JMP 000000016fff0110
.text     C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                00000000776f1b00 8 bytes JMP 000000016fff0148
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                     00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                          00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                         00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                      00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\services.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                               00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                     00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                     000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                 000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                000007fefdab3e80 5 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!RegisterRawInputDevices                                                                              0000000077486ef0 8 bytes JMP 000000016fff06f8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SystemParametersInfoA                                                                                0000000077488184 7 bytes JMP 000000016fff0880
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SetParent                                                                                            0000000077488530 8 bytes JMP 000000016fff0730
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!PostMessageA                                                                                         000000007748a404 5 bytes JMP 000000016fff0308
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!EnableWindow                                                                                         000000007748aaa0 9 bytes JMP 000000016fff08f0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!MoveWindow                                                                                           000000007748aad0 8 bytes JMP 000000016fff0768
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!GetAsyncKeyState                                                                                     000000007748c720 5 bytes JMP 000000016fff06c0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!RegisterHotKey                                                                                       000000007748cd50 8 bytes JMP 000000016fff0848
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!PostThreadMessageA                                                                                   000000007748d2b0 5 bytes JMP 000000016fff0378
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendMessageA                                                                                         000000007748d338 5 bytes JMP 000000016fff03e8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendNotifyMessageW                                                                                   000000007748dc40 9 bytes JMP 000000016fff0570
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SystemParametersInfoW                                                                                000000007748f510 7 bytes JMP 000000016fff08b8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SetWindowsHookExW                                                                                    000000007748f874 9 bytes JMP 000000016fff0298
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendMessageTimeoutW                                                                                  000000007748fac0 9 bytes JMP 000000016fff0490
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!PostThreadMessageW                                                                                   0000000077490b74 10 bytes JMP 000000016fff03b0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SetWinEventHook                                                                                      0000000077494d4c 5 bytes JMP 000000016fff02d0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!GetKeyState                                                                                          0000000077495010 5 bytes JMP 000000016fff0688
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendMessageCallbackW                                                                                 0000000077495438 7 bytes JMP 000000016fff0500
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendMessageW                                                                                         0000000077496b50 5 bytes JMP 000000016fff0420
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!PostMessageW                                                                                         00000000774976e4 7 bytes JMP 000000016fff0340
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendDlgItemMessageW                                                                                  000000007749dd90 5 bytes JMP 000000016fff05e0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!GetClipboardData                                                                                     000000007749e874 5 bytes JMP 000000016fff0810
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SetClipboardViewer                                                                                   000000007749f780 8 bytes JMP 000000016fff07a0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendNotifyMessageA                                                                                   00000000774a28e4 12 bytes JMP 000000016fff0538
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!mouse_event                                                                                          00000000774a3894 7 bytes JMP 000000016fff0228
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!GetKeyboardState                                                                                     00000000774a8a10 8 bytes JMP 000000016fff0650
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendMessageTimeoutA                                                                                  00000000774a8be0 12 bytes JMP 000000016fff0458
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SetWindowsHookExA                                                                                    00000000774a8c20 12 bytes JMP 000000016fff0260
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendInput                                                                                            00000000774a8cd0 8 bytes JMP 000000016fff0618
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!BlockInput                                                                                           00000000774aad60 8 bytes JMP 000000016fff07d8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!ExitWindowsEx                                                                                        00000000774d14e0 5 bytes JMP 000000016fff0928
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!keybd_event                                                                                          00000000774f45a4 7 bytes JMP 000000016fff01f0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendDlgItemMessageA                                                                                  00000000774fcc08 5 bytes JMP 000000016fff05a8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\USER32.dll!SendMessageCallbackA                                                                                 00000000774fdf18 7 bytes JMP 000000016fff04c8
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0378
.text     C:\Windows\system32\services.exe[672] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                             00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                               00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                  00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                       00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                               00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                            00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                  00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                          00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                           00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                        00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                             00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                        00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                            00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                               00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                         00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                             00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                    00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                   00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                         00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                     00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                  00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                        00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                        000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                    000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                        000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                 000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                   000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                  000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                 000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                               000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                   000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308

#15
bhzendner

Posted 18 August 2014 - 06:43 AM

Member

Topic Starter
Member
226 posts

.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                                  000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\system32\lsass.exe[708] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                              000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                               00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                                 00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                    00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                         00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                                 00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                              00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                    00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                            00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                             00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                          00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                               00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                          00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                                  00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                              00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                                 00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                           00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                               00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                      00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                     00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                           00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                       00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                          000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                                   000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                     000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                    000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                                  000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                                  000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!GetPixel                                                                                                   000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                                 000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\lsm.exe[716] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                     000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                           00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                             00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                             00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                           00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                      00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                          00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                             00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                  00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                      000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                 000007fefdab3e80 5 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                               000007fefe3a22cc 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                 000007fefe3a24c0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                000007fefe3a5bf0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                              000007fefe3a8398 9 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                              000007fefe3a89d8 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!GetPixel                                                                                               000007fefe3a9344 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                             000007fefe3ab9f8 5 bytes JMP 000007fffd3f0378
.text     C:\Windows\system32\svchost.exe[872] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                 000007fefe3ac8e0 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                           00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                             00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                             00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                           00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                      00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                          00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                             00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                  00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                                00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                      00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                      000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                  000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                      000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                 000007fefdab3e80 5 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                               000007fefe3a22cc 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                 000007fefe3a24c0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                000007fefe3a5bf0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                              000007fefe3a8398 9 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                              000007fefe3a89d8 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!GetPixel                                                                                               000007fefe3a9344 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                             000007fefe3ab9f8 5 bytes JMP 000007fffd3f0378
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                 000007fefe3ac8e0 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                                000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\system32\svchost.exe[956] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                            000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                           00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                             00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                             00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                           00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                      00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                          00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                             00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                  00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                      000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                               000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                 000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                              000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                              000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!GetPixel                                                                                               000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                             000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                 000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                                000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\system32\svchost.exe[544] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                            000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                               00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                     00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                     000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                 000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\atiesrxx.exe[744] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                           00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                             00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                                00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                     00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                             00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                          00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                                00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                        00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                         00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                      00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                           00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                      00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                              00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                          00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                             00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                       00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                           00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                  00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                 00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                       00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                   00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                      000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                               000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                 000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                                000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                              000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                              000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!GetPixel                                                                                               000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                             000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                 000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                                000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\System32\svchost.exe[712] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                            000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                     00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                          00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                         00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                      00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                               00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                     00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                     000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                 000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                               000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\System32\svchost.exe[1032] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                           000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                     00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                          00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                         00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                      00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[1064] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                     00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                          00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                         00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                      00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                                               00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                                     00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                                     000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                                 000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                000007fefdab3e80 5 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0378
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                               000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                           000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                             000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                      000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!BitBlt                                                                                        000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                       000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                     000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                     000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!GetPixel                                                                                      000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                    000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Program Files\HitmanPro\hmpsched.exe[1364] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                        000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                         00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                           00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                              00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                   00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                           00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                        00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                              00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                      00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                       00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                    00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                         00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                    00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                            00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                        00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                           00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                     00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                         00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                               00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                     00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                 00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                    000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                             000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!BitBlt                                                                                               000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                              000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                            000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                            000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!GetPixel                                                                                             000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                           000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\atieclxx.exe[1412] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                               000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                     00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                          00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                         00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                      00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\System32\spoolsv.exe[1668] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                                                     00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                                          00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                                                     00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                                             00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                                                         00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                                            00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                                                      00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                                          00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                                                 00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                                                00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                                                      00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                                                  00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx                                                                                000007fefdab3e80 5 bytes JMP 000007fffd3f01b8
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!DeleteDC                                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0298
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!BitBlt                                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f02d0
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!MaskBlt                                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f0308
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCW                                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f0228
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!CreateDCA                                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01f0
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!GetPixel                                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0260
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!StretchBlt                                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0378
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0340
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA                                                                               000007fefdbea6f0 1 byte JMP 000007fffd3f0180
.text     C:\Windows\system32\svchost.exe[1696] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA + 2                                                                           000007fefdbea6f2 5 bytes {JMP 0xffffffffff805a90}
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                  00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                     00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                          00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                  00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                               00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                     00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                             00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                              00000000776f1790 8 bytes JMP 000000016fff0998
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread                                                           00000000776f17e0 8 bytes JMP 000000016fff09d0
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile                                                                00000000776f1800 8 bytes JMP 000000016fff0bc8
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort                                                           00000000776f19f0 8 bytes JMP 000000016fff0d18
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort                                                   00000000776f1b00 8 bytes JMP 000000016fff0960
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort                                                               00000000776f1bd0 8 bytes JMP 000000016fff0ab0
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject                                                  00000000776f1d20 8 bytes JMP 000000016fff0c70
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx                                                            00000000776f1d30 8 bytes JMP 000000016fff0ce0
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver                                                                00000000776f20a0 8 bytes JMP 000000016fff0ae8
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject                                                       00000000776f2130 8 bytes JMP 000000016fff0ca8
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation                                                      00000000776f29a0 8 bytes JMP 000000016fff0b20
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem                                                            00000000776f2a20 8 bytes JMP 000000016fff0a08
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl                                                        00000000776f2aa0 8 bytes JMP 000000016fff0a40
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                     00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessW                                                           00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessA                                                           000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                       000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                           000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!DeleteDC                                                                    000007fefe3a22cc 5 bytes JMP 000007fffd3f02d0
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!BitBlt                                                                      000007fefe3a24c0 5 bytes JMP 000007fffd3f0308
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!MaskBlt                                                                     000007fefe3a5bf0 5 bytes JMP 000007fffd3f0340
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!CreateDCW                                                                   000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!CreateDCA                                                                   000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!GetPixel                                                                    000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!StretchBlt                                                                  000007fefe3ab9f8 5 bytes JMP 000007fffd3f03b0
.text     C:\Program Files\M-Files\9.0.3372.41\Bin\x64\mfclient.exe[1820] C:\Windows\system32\GDI32.dll!PlgBlt                                                                      000007fefe3ac8e0 5 bytes JMP 000007fffd3f0378
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW                                                               00000000775898e0 12 bytes JMP 000000016fff01b8
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\kernel32.dll!CreateProcessW                                                                     00000000775a0650 12 bytes JMP 000000016fff0148
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\kernel32.dll!CreateProcessA                                                                     000000007761acf0 1 byte JMP 000000016fff0180
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\kernel32.dll!CreateProcessA + 2                                                                 000000007761acf2 5 bytes {JMP 0xfffffffff89d5490}
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters                                                     000007fefd5753c0 7 bytes JMP 000007fffd3f0148
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!DeleteDC                                                                              000007fefe3a22cc 5 bytes JMP 000007fffd3f0260
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!BitBlt                                                                                000007fefe3a24c0 5 bytes JMP 000007fffd3f0298
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!MaskBlt                                                                               000007fefe3a5bf0 5 bytes JMP 000007fffd3f02d0
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!CreateDCW                                                                             000007fefe3a8398 9 bytes JMP 000007fffd3f01f0
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!CreateDCA                                                                             000007fefe3a89d8 9 bytes JMP 000007fffd3f01b8
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!GetPixel                                                                              000007fefe3a9344 5 bytes JMP 000007fffd3f0228
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!StretchBlt                                                                            000007fefe3ab9f8 5 bytes JMP 000007fffd3f0340
.text     C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1916] C:\Windows\system32\GDI32.dll!PlgBlt                                                                                000007fefe3ac8e0 5 bytes JMP 000007fffd3f0308
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtClose                                                                  000000007789f9e0 5 bytes JMP 000000011001d080
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                       000000007789fcb0 5 bytes JMP 000000011002fac0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile                                                               000000007789fd64 5 bytes JMP 000000011002dfa0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection                                                            000000007789fdc8 5 bytes JMP 000000011002ec30
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken                                                  000000007789fec0 5 bytes JMP 000000011002c270
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection                                                          000000007789ffa4 5 bytes JMP 000000011002e640
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread                                                           00000000778a0004 5 bytes JMP 000000011002ff20
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread                                                        00000000778a0084 5 bytes JMP 000000011002fce0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile                                                             00000000778a00b4 5 bytes JMP 000000011002e2a0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort                                                        00000000778a03b8 5 bytes JMP 000000011002cc90
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort                                                00000000778a0550 5 bytes JMP 000000011002b520
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort                                                            00000000778a0694 5 bytes JMP 000000011002f750
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject                                               00000000778a088c 5 bytes JMP 000000011002be90
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx                                                         00000000778a08a4 5 bytes JMP 000000011002c8f0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver                                                             00000000778a0df4 5 bytes JMP 000000011002f540
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject                                                    00000000778a0ed8 5 bytes JMP 000000011002f0c0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation                                                   00000000778a1be4 5 bytes JMP 000000011002f300
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem                                                         00000000778a1cb4 5 bytes JMP 000000011002c520
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl                                                     00000000778a1d8c 5 bytes JMP 000000011002eec0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                               00000000778bc4dd 5 bytes JMP 0000000110027df0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                             00000000778c1287 1 byte JMP 000000011001d1a0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll + 2                                                         00000000778c1289 5 bytes {JMP 0xffffffff9875bf19}
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\kernel32.dll!CreateProcessW                                                        00000000772f103d 5 bytes JMP 0000000110024f30
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\kernel32.dll!CreateProcessA                                                        00000000772f1072 5 bytes JMP 0000000110025ac0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW                                                  000000007731c9b5 5 bytes JMP 0000000110023a60
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters                                        0000000076c7f784 5 bytes JMP 000000011001d1d0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!PostThreadMessageW                                                      0000000076ed8bff 5 bytes JMP 000000011001b640
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW                                                   0000000076ed90d3 7 bytes JMP 000000011001c3d0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendMessageW                                                            0000000076ed9679 5 bytes JMP 000000011001b100
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW                                                     0000000076ed97d2 5 bytes JMP 000000011001ab80
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                         0000000076edee09 5 bytes JMP 000000011001c0c0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!RegisterHotKey                                                          0000000076edefc9 5 bytes JMP 00000001100180a0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!PostMessageW                                                            0000000076ee12a5 5 bytes JMP 000000011001bb80
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!GetKeyState                                                             0000000076ee291f 5 bytes JMP 0000000110019330
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SetParent                                                               0000000076ee2d64 1 byte JMP 00000001100188e0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SetParent + 2                                                           0000000076ee2d66 3 bytes {JMP 0xffffffff99135b7c}
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!EnableWindow                                                            0000000076ee2da4 5 bytes JMP 0000000110017e00
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!MoveWindow                                                              0000000076ee3698 5 bytes JMP 0000000110018b80
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!PostMessageA                                                            0000000076ee3baa 5 bytes JMP 000000011001be20
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!PostThreadMessageA                                                      0000000076ee3c61 5 bytes JMP 000000011001b8e0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendMessageA                                                            0000000076ee612e 5 bytes JMP 000000011001b3a0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA                                                   0000000076ee6c30 7 bytes JMP 000000011001c5f0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                       0000000076ee7603 5 bytes JMP 000000011001c810
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW                                                      0000000076ee7668 5 bytes JMP 000000011001a0c0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW                                                    0000000076ee76e0 5 bytes JMP 000000011001a600
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA                                                     0000000076ee781f 5 bytes JMP 000000011001ae40
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                       0000000076ee835c 5 bytes JMP 000000011001ca80
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SetClipboardViewer                                                      0000000076eec4b6 5 bytes JMP 00000001100186e0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA                                                     0000000076efc112 5 bytes JMP 0000000110019e10
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW                                                     0000000076efd0f5 5 bytes JMP 0000000110019b60
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState                                                        0000000076efeb96 5 bytes JMP 0000000110019080
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!GetKeyboardState                                                        0000000076efec68 5 bytes JMP 00000001100195e0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendInput                                                               0000000076efff4a 5 bytes JMP 0000000110019890
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!GetClipboardData                                                        0000000076f19f1d 5 bytes JMP 00000001100182d0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!ExitWindowsEx                                                           0000000076f21497 5 bytes JMP 0000000110017bf0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!mouse_event                                                             0000000076f3027b 5 bytes JMP 0000000110029670
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!keybd_event                                                             0000000076f302bf 5 bytes JMP 0000000110029880
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA                                                    0000000076f36cfc 5 bytes JMP 000000011001a8c0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA                                                      0000000076f36d5d 5 bytes JMP 000000011001a360
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!BlockInput                                                              0000000076f37dd7 5 bytes JMP 00000001100184e0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices                                                 0000000076f388eb 5 bytes JMP 0000000110018e60
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!DeleteDC                                                                 00000000758458b3 5 bytes JMP 0000000110028bc0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!BitBlt                                                                   0000000075845ea6 5 bytes JMP 00000001100293e0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!CreateDCA                                                                0000000075847bcc 5 bytes JMP 0000000110029cc0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!StretchBlt                                                               000000007584b895 5 bytes JMP 0000000110028c00
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!MaskBlt                                                                  000000007584c332 5 bytes JMP 0000000110029130
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!GetPixel                                                                 000000007584cbfb 5 bytes JMP 0000000110028990
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!CreateDCW                                                                000000007584e743 5 bytes JMP 0000000110029bc0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\GDI32.dll!PlgBlt                                                                   0000000075874857 5 bytes JMP 0000000110028ea0
.text     C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1940] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA                                                  0000000077012642 5 bytes JMP 0000000110024390
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                                          00000000776c3b10 5 bytes JMP 000000016fff0110
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                                            00000000776c7ac0 5 bytes JMP 000000016fff0d50
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtClose                                                                                               00000000776f13a0 8 bytes JMP 000000016fff00d8
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                                    00000000776f1570 8 bytes JMP 000000016fff0a78
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile                                                                                            00000000776f15e0 8 bytes JMP 000000016fff0c00
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection                                                                                         00000000776f1620 8 bytes JMP 000000016fff0b90
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken                                                                               00000000776f16c0 8 bytes JMP 000000016fff0c38
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection                                                                                       00000000776f1750 8 bytes JMP 000000016fff0b58
.text     C:\Windows\system32\svchost.exe[1972] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread                                                                                        00000000776f1790 8 bytes JMP 000000016fff0998