Sinith Posted January 3, 2015 ID:925912 Share Posted January 3, 2015 Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-01-2015 03Ran by Nith (administrator) on NITH-PC on 03-01-2015 14:35:33Running from C:\Users\Nith\DownloadsLoaded Profile: Nith (Available profiles: Nith)Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)Internet Explorer Version 11 (Default browser: Chrome)Boot Mode: NormalTutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe(Akamai Technologies, Inc.) C:\Users\Nith\AppData\Local\Akamai\netsession_win.exe(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe(Supra) C:\Supra\ActiveKeyPCSyncClient\AKeyPCSyncApp.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe(Akamai Technologies, Inc.) C:\Users\Nith\AppData\Local\Akamai\netsession_win.exe(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\Messenger\Ymsgr_tray.exe(Microsoft Corporation) C:\Windows\System32\dllhost.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7560296 2011-12-12] (Realtek Semiconductor)HKLM\...\Run: [intelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"HKLM\...\Run: [shadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStartHKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2460488 2014-09-16] (NVIDIA Corporation)HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)HKLM-x32\...\Run: [uSB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-04] (Intel Corporation)HKLM-x32\...\Run: [NCUpdateHelper] => C:\Program Files (x86)\NCWest\NCLauncher\NCUpdateHelper.exeHKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3890208 2014-08-08] (AVAST Software)HKLM-x32\...\Run: [indexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46368 2010-03-09] (Nuance Communications, Inc.)HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [29984 2010-03-09] (Nuance Communications, Inc.)HKLM-x32\...\Run: [PPort12reminder] => C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe [328992 2010-02-09] (Nuance Communications, Inc.)HKLM-x32\...\Run: [PDFHook] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe [636192 2010-03-05] (Nuance Communications, Inc.)HKLM-x32\...\Run: [PDF5 Registry Controller] => C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe [62752 2010-03-05] (Nuance Communications, Inc.)HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-09-06] (Brother Industries, Ltd.)HKLM-x32\...\Run: [brStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.)HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Nith\AppData\Local\Akamai\netsession_win.exe [4673432 2014-10-29] (Akamai Technologies, Inc.)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [steam] => C:\Program Files (x86)\Steam\steam.exe [1940160 2014-11-18] (Valve Corporation)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [msnmsgr] => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /backgroundHKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [iSUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [cdloader] => C:\Users\Nith\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2013-05-06] (magicJack L.P.)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [Messenger (Yahoo!)] => C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\MountPoints2: {00aada10-f2ef-11e1-a100-806e6f6e6963} - D:\Bin\ASSETUP.exeHKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\MountPoints2: {55958e33-5ad3-11e2-8ac6-10bf48884d75} - E:\iStudio.exeStartup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ActiveKEY PCSync.lnkShortcutTarget: ActiveKEY PCSync.lnk -> C:\Windows\Installer\{1D987899-B4FF-4F13-B55E-76AF134951AB}\Startup.Folder_AKe_49A142B0F8A84D9481540579FB7083B4.exe (Flexera Software LLC)ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyServer: [s-1-5-21-361318840-2708508044-1232436765-1000] => http=127.0.0.1:49247;https=127.0.0.1:49247URLSearchHook: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll No FileSearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> DefaultScope {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://www.bing.com/search?FORM=U218DF&PC=U218&q={searchTerms}&src=IE-SearchBoxSearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> 358F5F3A8D074F7B9683E7EA06EE3FFE URL = http://search.yahoo.com/search?p={searchTerms}&fr=mkg028SearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {33B368EE-CBB1-49FB-A1A5-2957BC381457} URL = http://www.search.ask.com/web?tpid=ORJ&o=100000031&pf=V5&p2=%5ETV%5EOSJ000%5EYY%5EUS&gct=&itbv=12.10.3.24&apn_uid=9F9A46B7-72A2-4E2B-AE81-522CB709090A&apn_ptnrs=%5ETV&apn_dtid=%5EOSJ000%5EYY%5EUS&apn_dbr=cr_24.0.1312.56&doi=2013-06-09&trgb=IE,CR&q={searchTerms}&psv=SearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=FEEB8A5A3E06F870CA971850421B616F&q={searchTerms}SearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {859AEACA-EA0E-45DB-9B8C-B67362AA98A2} URL = http://search.strtpoint.com/results.html?v=insMac&t=1411&ap=591080004&q={searchTerms}&r=462SearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://www.bing.com/search?FORM=U218DF&PC=U218&q={searchTerms}&src=IE-SearchBoxBHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No FileToolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No FileToolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)Toolbar: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FileTcpip\Parameters: [DhcpNameServer] 192.168.1.254 FireFox:========FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()FF Plugin: @microsoft.com/GENUINE -> disabled No FileFF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)FF Plugin-x32: @microsoft.com/GENUINE -> disabled No FileFF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No FileFF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FFFF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-08-30] Chrome: =======CHR Profile: C:\Users\Nith\AppData\Local\Google\Chrome\User Data\DefaultCHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]CHR Extension: (WOT) - C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2014-06-11]CHR Extension: (AdBlock) - C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-06-19]CHR Extension: (Google Wallet) - C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-05-09] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S2 AKeyPCSyncService; C:\Supra\ActiveKeyPCSyncClient\AKeyPCSyncService.exe [327168 2013-07-01] (Supra) [File not signed]R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-05-09] (AVAST Software)R3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2014-09-16] (NVIDIA Corporation)R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-07] (Intel Corporation)R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-09-16] (NVIDIA Corporation)R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19439944 2014-09-16] (NVIDIA Corporation)R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [144672 2010-03-09] (Nuance Communications, Inc.) ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-05-09] ()R1 aswKbd; C:\Windows\System32\Drivers\aswKbd.sys [22600 2013-05-09] (AVAST Software)R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-05-09] (AVAST Software)R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-05-09] (AVAST Software)R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-05-09] ()R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1039096 2014-05-15] (AVAST Software)R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423240 2014-05-15] (AVAST Software)R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [85328 2014-05-15] (AVAST Software)R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-10-31] (AVAST Software)R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [208416 2014-05-09] ()S3 CMUSBDAC; C:\Windows\System32\DRIVERS\CMUSBDAC.sys [386560 2013-10-15] (C-Media Inc.)S3 ElgatoGC658Y; C:\Windows\System32\Drivers\ElgatoGC658.sys [50248 2012-04-18] (UB658)R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-03] (Malwarebytes Corporation)R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19272 2014-09-16] (NVIDIA Corporation)R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)S3 PhSerUsb; C:\Windows\System32\DRIVERS\PhSerUsb.sys [69448 2013-07-01] (PHILOG) ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2015-01-03 14:35 - 2015-01-03 14:35 - 02123776 _____ (Farbar) C:\Users\Nith\Downloads\FRST64.exe2015-01-03 14:35 - 2015-01-03 14:35 - 00021343 _____ () C:\Users\Nith\Downloads\FRST.txt2015-01-03 14:35 - 2015-01-03 14:35 - 00000000 ____D () C:\FRST2015-01-03 11:45 - 2014-12-12 23:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe2015-01-03 11:45 - 2014-12-12 21:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe2015-01-03 11:40 - 2015-01-03 11:40 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Nith\Downloads\mbam-setup-2.0.4.1028.exe2015-01-03 11:37 - 2015-01-03 11:37 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task2015-01-03 11:13 - 2015-01-03 11:13 - 00321848 _____ (Malwarebytes Corporation) C:\Users\Nith\Downloads\mbam-clean-2.1.1.1001.exe2014-12-14 11:02 - 2014-12-14 11:02 - 00004428 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_71-b14.log2014-12-14 11:02 - 2014-12-14 11:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java2014-12-14 11:02 - 2014-09-26 18:42 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll2014-12-14 11:02 - 2014-09-26 18:36 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe2014-12-14 11:02 - 2014-09-26 18:36 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe2014-12-14 11:02 - 2014-09-26 18:35 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe2014-12-11 19:18 - 2014-12-12 10:16 - 00000000 ____D () C:\Users\Nith\AppData\Local\BoBrowser2014-12-11 19:17 - 2014-12-11 20:39 - 00000000 ____D () C:\Program Files (x86)\SourceApp2014-12-11 19:17 - 2014-12-11 19:17 - 00003486 _____ () C:\Windows\System32\Tasks\StartPoint2014-12-11 19:17 - 2014-12-11 19:17 - 00003480 _____ () C:\Windows\System32\Tasks\StartPoint Updater2014-12-11 19:17 - 2014-12-11 19:17 - 00000000 ____D () C:\Users\Nith\AppData\Local\StartPoint2014-12-10 17:00 - 2014-12-10 17:00 - 00000000 ____D () C:\Windows\system32\appraiser2014-12-10 16:56 - 2014-10-17 20:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll2014-12-10 16:56 - 2014-10-17 19:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll2014-12-10 16:56 - 2014-07-06 20:06 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll2014-12-10 16:56 - 2014-07-06 20:06 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe2014-12-10 16:56 - 2014-07-06 20:06 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe2014-12-10 16:56 - 2014-07-06 20:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll2014-12-10 16:56 - 2014-07-06 19:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll2014-12-10 16:56 - 2014-07-06 19:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe2014-12-10 16:56 - 2014-07-06 19:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe2014-12-10 16:56 - 2014-07-06 19:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll2014-12-10 10:01 - 2014-12-10 10:01 - 00001305 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk2014-12-10 10:01 - 2014-12-10 10:01 - 00000000 ____D () C:\Windows\en2014-12-10 09:59 - 2014-12-10 09:59 - 00002170 _____ () C:\Users\Nith\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Microsoft OneDrive.lnk2014-12-10 09:31 - 2014-12-03 20:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll2014-12-10 09:31 - 2014-12-03 20:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll2014-12-10 09:31 - 2014-12-03 20:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll2014-12-10 09:31 - 2014-12-03 20:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll2014-12-10 09:31 - 2014-12-03 20:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll2014-12-10 09:31 - 2014-12-03 20:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll2014-12-10 09:31 - 2014-12-03 20:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll2014-12-10 09:31 - 2014-12-01 17:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe2014-12-10 09:31 - 2014-11-26 19:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll2014-12-10 09:31 - 2014-11-26 19:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll2014-12-10 09:31 - 2014-11-21 21:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb2014-12-10 09:31 - 2014-11-21 21:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll2014-12-10 09:31 - 2014-11-21 20:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll2014-12-10 09:31 - 2014-11-21 20:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll2014-12-10 09:31 - 2014-11-21 20:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe2014-12-10 09:31 - 2014-11-21 20:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe2014-12-10 09:31 - 2014-11-21 20:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll2014-12-10 09:31 - 2014-11-21 20:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb2014-12-10 09:31 - 2014-11-21 20:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll2014-12-10 09:31 - 2014-11-21 20:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll2014-12-10 09:31 - 2014-11-21 20:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll2014-12-10 09:31 - 2014-11-21 20:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll2014-12-10 09:31 - 2014-11-21 19:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll2014-12-10 09:31 - 2014-11-21 19:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll2014-12-10 09:31 - 2014-11-21 19:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll2014-12-10 09:31 - 2014-11-21 19:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe2014-12-10 09:31 - 2014-11-21 19:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll2014-12-10 09:31 - 2014-11-21 19:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll2014-12-10 09:31 - 2014-11-21 19:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll2014-12-10 09:31 - 2014-11-21 19:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll2014-12-10 09:31 - 2014-11-21 19:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl2014-12-10 09:31 - 2014-11-21 19:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll2014-12-10 09:31 - 2014-11-21 18:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll2014-12-10 09:31 - 2014-11-21 18:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll2014-12-10 09:31 - 2014-11-10 21:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll2014-12-10 09:31 - 2014-11-10 20:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll2014-12-10 09:31 - 2014-11-10 19:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys2014-12-10 09:30 - 2014-11-21 21:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll2014-12-10 09:30 - 2014-11-21 20:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll2014-12-10 09:30 - 2014-11-21 20:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll2014-12-10 09:30 - 2014-11-21 20:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll2014-12-10 09:30 - 2014-11-21 20:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll2014-12-10 09:30 - 2014-11-21 20:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll2014-12-10 09:30 - 2014-11-21 20:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll2014-12-10 09:30 - 2014-11-21 20:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll2014-12-10 09:30 - 2014-11-21 20:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll2014-12-10 09:30 - 2014-11-21 20:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll2014-12-10 09:30 - 2014-11-21 20:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll2014-12-10 09:30 - 2014-11-21 20:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll2014-12-10 09:30 - 2014-11-21 20:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll2014-12-10 09:30 - 2014-11-21 20:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll2014-12-10 09:30 - 2014-11-21 20:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll2014-12-10 09:30 - 2014-11-21 19:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll2014-12-10 09:30 - 2014-11-21 19:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll2014-12-10 09:30 - 2014-11-21 19:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll2014-12-10 09:30 - 2014-11-21 19:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl2014-12-10 09:30 - 2014-11-21 19:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll2014-12-10 09:30 - 2014-11-21 19:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll2014-12-10 09:30 - 2014-11-21 19:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll2014-12-10 09:30 - 2014-11-21 19:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll2014-12-10 09:30 - 2014-11-21 19:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll2014-12-10 09:30 - 2014-11-21 19:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll2014-12-10 09:30 - 2014-11-21 19:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll2014-12-10 09:30 - 2014-11-21 19:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll2014-12-10 09:30 - 2014-11-21 19:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll2014-12-10 09:29 - 2014-11-07 21:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll2014-12-10 09:29 - 2014-11-07 20:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll2014-12-10 09:29 - 2014-10-29 20:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe2014-12-10 09:29 - 2014-10-29 19:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe2014-12-10 09:29 - 2014-10-02 20:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll2014-12-10 09:29 - 2014-10-02 20:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll2014-12-10 09:29 - 2014-10-02 20:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll2014-12-10 09:29 - 2014-10-02 20:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll2014-12-10 09:29 - 2014-10-02 20:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe2014-12-10 09:29 - 2014-10-02 19:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll2014-12-10 09:29 - 2014-10-02 19:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll2014-12-10 09:29 - 2014-10-02 19:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll2014-12-10 09:29 - 2014-10-02 19:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll2014-12-10 09:29 - 2014-10-02 19:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2015-01-03 14:03 - 2012-08-30 15:18 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job2015-01-03 13:50 - 2014-11-20 15:20 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys2015-01-03 13:48 - 2012-11-17 20:31 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job2015-01-03 13:34 - 2014-11-18 20:00 - 00000000 ____D () C:\Users\Nith\AppData\Roaming\Battle.net2015-01-03 13:34 - 2012-11-09 07:54 - 00000000 ____D () C:\Users\Nith\AppData\Roaming\Audacity2015-01-03 13:34 - 2012-09-01 00:03 - 00000000 ____D () C:\Users\Nith\AppData\Local\Akamai2015-01-03 13:34 - 2012-08-30 21:19 - 00000000 ____D () C:\ProgramData\Malwarebytes2015-01-03 13:34 - 2012-08-30 15:12 - 02014528 _____ () C:\Windows\WindowsUpdate.log2015-01-03 13:34 - 2011-04-12 02:28 - 00000000 ___RD () C:\Users\Public\Recorded TV2015-01-03 13:34 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\registration2015-01-03 12:49 - 2012-09-20 00:13 - 00000000 ____D () C:\Users\Nith\AppData\Local\CrashDumps2015-01-03 12:43 - 2012-08-30 15:18 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job2015-01-03 12:00 - 2009-07-13 22:45 - 00029120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02015-01-03 12:00 - 2009-07-13 22:45 - 00029120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02015-01-03 11:41 - 2014-11-20 15:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware2015-01-03 11:41 - 2014-11-20 15:20 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware2015-01-03 11:41 - 2014-07-30 09:19 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2015-01-03 11:39 - 2013-09-10 19:21 - 00001966 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk2015-01-03 11:39 - 2012-08-30 21:23 - 00003924 _____ () C:\Windows\System32\Tasks\avast! Emergency Update2015-01-03 11:36 - 2012-09-10 22:55 - 00000000 ____D () C:\Program Files (x86)\Steam2015-01-03 11:36 - 2012-08-30 15:12 - 00000000 ____D () C:\Users\Nith2015-01-03 11:36 - 2009-07-13 22:51 - 00125423 _____ () C:\Windows\setupact.log2015-01-03 11:35 - 2013-09-22 17:59 - 00000000 ____D () C:\ProgramData\NVIDIA2015-01-03 11:35 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT2015-01-03 11:14 - 2014-11-18 20:00 - 00000000 ____D () C:\Users\Nith\AppData\Local\Battle.net2014-12-22 11:12 - 2014-08-28 19:47 - 00122880 ___SH () C:\Users\Nith\Desktop\Thumbs.db2014-12-14 11:03 - 2013-10-28 19:46 - 00000000 ____D () C:\ProgramData\Oracle2014-12-14 11:02 - 2012-09-03 21:01 - 00000000 ____D () C:\Program Files (x86)\Java2014-12-12 14:06 - 2012-08-30 15:19 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk2014-12-12 14:00 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\rescache2014-12-11 20:39 - 2010-11-20 21:47 - 01076836 _____ () C:\Windows\PFRO.log2014-12-11 19:27 - 2009-07-13 20:34 - 00000505 _____ () C:\Windows\win.ini2014-12-11 19:20 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\Cursors2014-12-11 10:50 - 2012-10-31 22:28 - 00000000 ____D () C:\Users\Nith\AppData\Roaming\HandBrake2014-12-10 19:38 - 2009-07-13 23:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI2014-12-10 17:08 - 2013-10-18 12:16 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk2014-12-10 17:00 - 2014-05-06 08:43 - 00000000 ___SD () C:\Windows\system32\CompatTel2014-12-10 17:00 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\PolicyDefinitions2014-12-10 17:00 - 2009-07-13 21:20 - 00000000 ____D () C:\Windows\AppCompat2014-12-10 16:58 - 2013-08-14 09:47 - 00000000 ____D () C:\Windows\system32\MRT2014-12-10 16:57 - 2012-08-31 08:44 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe2014-12-10 11:48 - 2012-11-17 20:31 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2014-12-10 11:48 - 2012-11-17 20:31 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2014-12-10 11:48 - 2012-11-17 20:31 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater2014-12-10 10:01 - 2012-11-10 20:57 - 00001374 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Photo Gallery.lnk2014-12-10 10:01 - 2012-11-10 20:56 - 00000000 ____D () C:\Program Files (x86)\Windows Live2014-12-10 09:59 - 2012-09-03 20:16 - 00075488 _____ () C:\Windows\DirectX.log2014-12-04 15:08 - 2014-11-18 20:10 - 00000000 ____D () C:\Program Files (x86)\Hearthstone Some content of TEMP:====================C:\Users\Nith\AppData\Local\Temp\6_Offer_14.exeC:\Users\Nith\AppData\Local\Temp\APNStub.exeC:\Users\Nith\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp5z_wq8.dllC:\Users\Nith\AppData\Local\Temp\f4f2a446-6cf6-458d-b85a-dcb16e8ac472.exeC:\Users\Nith\AppData\Local\Temp\Gw2.exeC:\Users\Nith\AppData\Local\Temp\handbrake-setup.exeC:\Users\Nith\AppData\Local\Temp\ICReinstall_PMB_update.exeC:\Users\Nith\AppData\Local\Temp\install_reader11_en_mssd_aaa_aih.exeC:\Users\Nith\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exeC:\Users\Nith\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exeC:\Users\Nith\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exeC:\Users\Nith\AppData\Local\Temp\nvSCPAPI.dllC:\Users\Nith\AppData\Local\Temp\nvStInst.exeC:\Users\Nith\AppData\Local\Temp\setup-Jutera_US_pscombined-bunndle-cb-1.1-x86x64_20120808.exeC:\Users\Nith\AppData\Local\Temp\setup.exeC:\Users\Nith\AppData\Local\Temp\SkypeSetup.exeC:\Users\Nith\AppData\Local\Temp\SRLDetectionLibrary4499449633615757549.dllC:\Users\Nith\AppData\Local\Temp\startpoint_1.exeC:\Users\Nith\AppData\Local\Temp\startup.exeC:\Users\Nith\AppData\Local\Temp\swt-win32-3349.dllC:\Users\Nith\AppData\Local\Temp\swt-win32-3740.dllC:\Users\Nith\AppData\Local\Temp\System.Data.SQLite.dllC:\Users\Nith\AppData\Local\Temp\System.Data.SQLite32471.dllC:\Users\Nith\AppData\Local\Temp\vcredist_x64.exeC:\Users\Nith\AppData\Local\Temp\winzipdusetup.exeC:\Users\Nith\AppData\Local\Temp\_is2818.exeC:\Users\Nith\AppData\Local\Temp\_is3616.exeC:\Users\Nith\AppData\Local\Temp\_is4568.exeC:\Users\Nith\AppData\Local\Temp\_is4628.exeC:\Users\Nith\AppData\Local\Temp\_isA6DB.exeC:\Users\Nith\AppData\Local\Temp\_isAD6A.exeC:\Users\Nith\AppData\Local\Temp\_isD10D.exeC:\Users\Nith\AppData\Local\Temp\_isED0C.exe ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signedC:\Windows\System32\wininit.exe => File is digitally signedC:\Windows\SysWOW64\wininit.exe => File is digitally signedC:\Windows\explorer.exe => File is digitally signedC:\Windows\SysWOW64\explorer.exe => File is digitally signedC:\Windows\System32\svchost.exe => File is digitally signedC:\Windows\SysWOW64\svchost.exe => File is digitally signedC:\Windows\System32\services.exe => File is digitally signedC:\Windows\System32\User32.dll => File is digitally signedC:\Windows\SysWOW64\User32.dll => File is digitally signedC:\Windows\System32\userinit.exe => File is digitally signedC:\Windows\SysWOW64\userinit.exe => File is digitally signedC:\Windows\System32\rpcss.dll => File is digitally signedC:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-12-06 11:23 ==================== End Of Log ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-01-2015 03Ran by Nith at 2015-01-03 14:35:50Running from C:\Users\Nith\DownloadsBoot Mode: Normal========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736} ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) ActiveKeyPCSyncClient_X64 (HKLM\...\{1D987899-B4FF-4F13-B55E-76AF134951AB}) (Version: 4.5.1.443 - Supra)Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)Akamai NetSession Interface (HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Akamai) (Version: - Akamai Technologies, Inc)Any Video Converter 3.5.8 (HKLM-x32\...\Any Video Converter_is1) (Version: - Any-Video-Converter.com)Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)Audacity 2.0.2 (HKLM-x32\...\Audacity_is1) (Version: 2.0.2 - Audacity Team)avast! Free Antivirus (HKLM-x32\...\avast) (Version: 9.0.2018 - Avast Software)Battle.net (HKLM-x32\...\Battle.net) (Version: - Blizzard Entertainment)Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)Brother MFL-Pro Suite MFC-7860DW (HKLM-x32\...\{3ACCCFB3-7B17-4E9F-ACB0-46868FCD4487}) (Version: 1.1.3.0 - Brother Industries, Ltd.)CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) HiddenCounter-Strike: Global Offensive (HKLM-x32\...\Steam App 730) (Version: - )D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) HiddenDropbox (HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Dropbox) (Version: 2.6.24 - Dropbox, Inc.)Elgato Game Capture HD (HKLM-x32\...\{DD53097D-888B-4531-AB3E-6C08237A1D9B}) (Version: 1.33.0.419 - Elgato Systems GmbH)erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) HiddenFraps (remove only) (HKLM-x32\...\Fraps) (Version: - )Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)Google Drive (HKLM-x32\...\{C60F3836-333A-4AE2-B526-CFDBA143A9BA}) (Version: 1.18.7821.2489 - Google, Inc.)Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) HiddenHandBrake 0.9.8 (HKLM-x32\...\HandBrake) (Version: 0.9.8 - )HD Tune 2.55 (HKLM-x32\...\HD Tune_is1) (Version: - EFD Software)Hearthstone (HKLM-x32\...\Hearthstone) (Version: - Blizzard Entertainment)Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.1.209 - Intel Corporation)Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)Intel® Watchdog Timer Driver (Intel® WDT) (HKLM-x32\...\{3FD0C489-0F02-481a-A3E1-9754CD396761}) (Version: - Intel Corporation)iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.710 - Oracle)LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )League of Legends (HKLM-x32\...\League of Legends 3.0.0) (Version: 3.0.0 - Riot Games)League of Legends (x32 Version: 3.0.0 - Riot Games) HiddenLogitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)magicJack (HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\magicJack) (Version: 3.1.6970.4873 - magicJack L.P.)Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)Microsoft OneDrive (HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\OneDriveSetup.exe) (Version: 17.0.4035.0328 - Microsoft Corporation)Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) HiddenMSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)NCSOFT Game Launcher (HKLM-x32\...\NCLauncher_NCWest) (Version: - NCSOFT)Nuance PaperPort 12 (HKLM-x32\...\{6C0A559F-8583-4B5A-8B50-20BEE15D8E64}) (Version: 12.1.0000 - Nuance Communications, Inc.)Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)NVIDIA 3D Vision Controller Driver 344.11 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 344.11 - NVIDIA Corporation)NVIDIA 3D Vision Driver 344.11 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 344.11 - NVIDIA Corporation)NVIDIA GeForce Experience 2.1.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1.2 - NVIDIA Corporation)NVIDIA Graphics Driver 344.11 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 344.11 - NVIDIA Corporation)NVIDIA HD Audio Driver 1.3.32.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.32.1 - NVIDIA Corporation)NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 1.00.0001 - Nuance Communications, Inc.)Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.49.927.2011 - Realtek)Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6526 - Realtek Semiconductor Corp.)Scansoft PDF Professional (x32 Version: - ) HiddenSHIELD Streaming (Version: 3.1.200 - NVIDIA Corporation) HiddenSHIELD Wireless Controller Driver (Version: 16.13.42 - NVIDIA Corporation) HiddenSpore (HKLM-x32\...\Steam App 17390) (Version: - Maxis™)Spore: Galactic Adventures (HKLM-x32\...\Steam App 24720) (Version: - EA - Maxis)Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)System Requirements Lab CYRI (HKLM-x32\...\{F3FCB08B-E752-444D-86A0-0634A4F3B23D}) (Version: 6.0.8.0 - Husdawg, LLC)The Walking Dead (HKLM-x32\...\Steam App 207610) (Version: - )The Walking Dead: Season Two (HKLM-x32\...\Steam App 261030) (Version: - Telltale Games)Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version: - )Yahoo! Toolbar (HKLM-x32\...\Yahoo! Companion) (Version: - Yahoo! Inc.) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Nith\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Nith\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\Nith\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Nith\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Nith\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\FileSyncApi64.dll (Microsoft Corporation)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Nith\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Nith\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Nith\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)CustomCLSID: HKU\S-1-5-21-361318840-2708508044-1232436765-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Nith\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.) ==================== Restore Points ========================= 16-12-2014 09:57:51 Windows Update18-12-2014 21:00:21 Windows Update23-12-2014 10:20:19 Windows Update26-12-2014 11:17:27 Windows Update30-12-2014 11:27:47 Windows Update03-01-2015 11:36:59 avast! antivirus system restore point03-01-2015 11:55:26 Windows Update ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {310EFA1B-23B0-4B1B-92A7-D24BE8801F8B} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)Task: {89AE31B3-99B4-45F0-893E-46E07F50532E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)Task: {BB6FA46A-607B-4AE3-9C1D-203B5EB74F2F} - System32\Tasks\StartPoint Updater => C:\Users\Nith\AppData\Local\StartPoint\startpoint\1.3.17.3\startup.exeTask: {C769FF86-D197-461F-A900-33CACA265BEA} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-05-09] (AVAST Software)Task: {D2CB8008-2484-4455-8418-EC305213B6AC} - System32\Tasks\StartPoint => C:\Users\Nith\AppData\Local\StartPoint\startpoint\1.3.17.3\startpoint.exeTask: {D4F05122-A9EC-4E00-B777-0A34C698B368} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)Task: {DFAAF2AA-C980-4768-A52E-B8F949C11041} - System32\Tasks\{BCDF2C61-1941-4C40-832F-8F6AD722876A} => Chrome.exe http://ui.skype.com/ui/0/6.6.0.106/en/abandoninstall?page=tsProgressBarTask: {E6B516C0-0B31-4484-9FFF-BAD2D8818C7D} - \BrowserSafeguard Update Task No Task File <==== ATTENTIONTask: {EE8631E2-C5BD-49F4-9474-BE49C375A7E9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeTask: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exeTask: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= 2013-09-22 17:59 - 2014-09-13 15:53 - 00116880 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll2012-09-13 00:38 - 2012-09-13 00:38 - 00264040 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe2013-12-23 20:05 - 2005-04-21 22:36 - 00143360 ____R () C:\Windows\system32\BrSNMP64.dll2015-01-03 11:40 - 2015-01-03 11:40 - 02909696 _____ () C:\Program Files\AVAST Software\Avast\defs\15010301\algo.dll2014-09-01 12:16 - 2014-11-11 12:48 - 01171456 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll2014-09-01 12:16 - 2014-11-11 12:48 - 00442368 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll2014-09-01 12:16 - 2014-11-11 12:48 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll2013-03-12 16:10 - 2014-11-11 12:47 - 00774656 _____ () C:\Program Files (x86)\Steam\SDL2.dll2014-05-24 07:50 - 2014-11-18 14:23 - 02227904 _____ () C:\Program Files (x86)\Steam\video.dll2014-09-01 12:16 - 2014-11-11 12:48 - 00403968 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll2014-09-01 12:16 - 2014-11-11 12:48 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll2012-09-10 22:57 - 2014-11-18 14:23 - 00690880 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL2012-09-13 00:38 - 2012-09-13 00:38 - 02144104 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll2012-09-13 00:38 - 2012-09-13 00:38 - 07955304 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll2012-09-13 00:38 - 2012-09-13 00:38 - 00341352 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll2012-09-13 00:38 - 2012-09-13 00:38 - 00028008 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll2012-09-13 00:38 - 2012-09-13 00:38 - 00127336 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll2013-12-18 21:10 - 2013-12-18 21:10 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll2014-09-03 14:07 - 2009-02-27 15:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll2014-10-11 13:06 - 2014-10-11 13:06 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll2012-09-13 00:39 - 2012-09-13 00:39 - 00336232 _____ () C:\Program Files (x86)\Common Files\logishrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll2012-09-10 22:57 - 2014-11-11 12:48 - 34589888 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll2014-06-18 12:26 - 2012-05-25 03:25 - 00921600 _____ () C:\Program Files (x86)\Yahoo!\Messenger\yui.dll2014-12-12 14:05 - 2014-12-05 19:50 - 01077064 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libglesv2.dll2014-12-12 14:05 - 2014-12-05 19:50 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libegl.dll2014-12-12 14:05 - 2014-12-05 19:50 - 09009480 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\pdf.dll2014-12-12 14:05 - 2014-12-05 19:50 - 01677128 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ffmpegsumo.dll2014-10-16 09:05 - 2014-10-16 09:05 - 00172032 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\92a1650dbe9fad5f46633b835420e1a8\IsdiInterop.ni.dll2012-08-30 15:25 - 2011-11-29 21:00 - 00059392 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll2012-08-30 15:24 - 2012-02-07 18:39 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll2014-12-12 14:05 - 2014-12-05 19:50 - 14913352 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) ========================= Accounts: ========================== Administrator (S-1-5-21-361318840-2708508044-1232436765-500 - Administrator - Disabled)Guest (S-1-5-21-361318840-2708508044-1232436765-501 - Limited - Disabled)HomeGroupUser$ (S-1-5-21-361318840-2708508044-1232436765-1002 - Limited - Enabled)Nith (S-1-5-21-361318840-2708508044-1232436765-1000 - Administrator - Enabled) => C:\Users\Nith ==================== Faulty Device Manager Devices ============= Name: Teredo Tunneling Pseudo-InterfaceDescription: Microsoft Teredo Tunneling AdapterClass Guid: {4d36e972-e325-11ce-bfc1-08002be10318}Manufacturer: MicrosoftService: tunnelProblem: : This device cannot start. (Code10)Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. Name: avast! Firewall NDIS Filter MiniportDescription: avast! Firewall NDIS Filter MiniportClass Guid: {4d36e972-e325-11ce-bfc1-08002be10318}Manufacturer: ALWIL SoftwareService: aswNdisProblem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)Resolution: A registry problem was detected. This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver. ==================== Event log errors: ========================= Application errors:==================Error: (01/03/2015 00:44:53 PM) (Source: Application Error) (EventID: 1000) (User: )Description: Faulting application name: mbam.exe, version: 1.0.1.711, time stamp: 0x542b53ecFaulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7Exception code: 0xc0000005Fault offset: 0x00066fbbFaulting process id: 0x13fcFaulting application start time: 0xmbam.exe0Faulting application path: mbam.exe1Faulting module path: mbam.exe2Report Id: mbam.exe3 Error: (01/03/2015 11:59:40 AM) (Source: Application Error) (EventID: 1000) (User: )Description: Faulting application name: mbam.exe, version: 1.0.1.711, time stamp: 0x542b53ecFaulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7Exception code: 0xc0000005Fault offset: 0x00066fbbFaulting process id: 0x1884Faulting application start time: 0xmbam.exe0Faulting application path: mbam.exe1Faulting module path: mbam.exe2Report Id: mbam.exe3 Error: (01/03/2015 11:46:02 AM) (Source: Windows Backup) (EventID: 4103) (User: )Description: The backup did not complete because of an error writing to the backup location E:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006). Error: (01/03/2015 11:37:34 AM) (Source: WinMgmt) (EventID: 10) (User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/03/2015 11:12:19 AM) (Source: Application Error) (EventID: 1000) (User: )Description: Faulting application name: mbam.exe, version: 1.0.1.711, time stamp: 0x542b53ecFaulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7Exception code: 0xc0000005Fault offset: 0x00066fbbFaulting process id: 0x4258Faulting application start time: 0xmbam.exe0Faulting application path: mbam.exe1Faulting module path: mbam.exe2Report Id: mbam.exe3 Error: (01/02/2015 11:27:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 15023 Error: (01/02/2015 11:27:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 15023 Error: (01/02/2015 11:27:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: Continuously busy for more than a second Error: (01/02/2015 11:27:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 14009 Error: (01/02/2015 11:27:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 14009 System errors:=============Error: (01/03/2015 11:36:40 AM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Util SourceApp service failed to start due to the following error: %%2 Error: (01/03/2015 11:36:40 AM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Update SourceApp service failed to start due to the following error: %%2 Error: (01/03/2015 11:36:29 AM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The ActiveKEY PCSync Service service failed to start due to the following error: %%1053 Error: (01/03/2015 11:36:29 AM) (Source: Service Control Manager) (EventID: 7009) (User: )Description: A timeout was reached (30000 milliseconds) while waiting for the ActiveKEY PCSync Service service to connect. Error: (01/03/2015 10:57:07 AM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMScheduler service. Error: (01/03/2015 10:56:24 AM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service. Error: (01/02/2015 10:19:45 AM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service. Error: (01/02/2015 06:05:51 AM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service. Error: (01/01/2015 06:46:19 PM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service. Error: (01/01/2015 11:39:50 AM) (Source: Service Control Manager) (EventID: 7011) (User: )Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service. Microsoft Office Sessions:=========================Error: (01/03/2015 00:44:53 PM) (Source: Application Error) (EventID: 1000) (User: )Description: mbam.exe1.0.1.711542b53ecntdll.dll6.1.7601.18247521ea8e7c000000500066fbb13fc01d0277f4dff1974C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exeC:\Windows\SysWOW64\ntdll.dll9a7cd8f1-9378-11e4-bfca-10bf48884d75 Error: (01/03/2015 11:59:40 AM) (Source: Application Error) (EventID: 1000) (User: )Description: mbam.exe1.0.1.711542b53ecntdll.dll6.1.7601.18247521ea8e7c000000500066fbb188401d0277c9e658ba7C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exeC:\Windows\SysWOW64\ntdll.dll495a674b-9372-11e4-bfca-10bf48884d75 Error: (01/03/2015 11:46:02 AM) (Source: Windows Backup) (EventID: 4103) (User: )Description: E:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006) Error: (01/03/2015 11:37:34 AM) (Source: WinMgmt) (EventID: 10) (User: )Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (01/03/2015 11:12:19 AM) (Source: Application Error) (EventID: 1000) (User: )Description: mbam.exe1.0.1.711542b53ecntdll.dll6.1.7601.18247521ea8e7c000000500066fbb425801d02715d4c1de80C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exeC:\Windows\SysWOW64\ntdll.dllac0017c4-936b-11e4-8a26-10bf48884d75 Error: (01/02/2015 11:27:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 15023 Error: (01/02/2015 11:27:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 15023 Error: (01/02/2015 11:27:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: Continuously busy for more than a second Error: (01/02/2015 11:27:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledSPRetry 14009 Error: (01/02/2015 11:27:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )Description: Task Scheduling Error: m->NextScheduledEvent 14009 ==================== Memory info =========================== Processor: Intel® Core i5-3570K CPU @ 3.40GHzPercentage of memory in use: 27%Total physical RAM: 16335.79 MBAvailable physical RAM: 11847.89 MBTotal Pagefile: 32669.77 MBAvailable Pagefile: 27538.72 MBTotal Virtual: 8192 MBAvailable Virtual: 8191.82 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:465.66 GB) (Free:255.7 GB) NTFS ==================== MBR & Partition Table ================== ========================================================Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 910BD1F2)Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS) ==================== End Of Log ============================ Link to post Share on other sites More sharing options...
Blackbird Posted January 3, 2015 ID:925935 Share Posted January 3, 2015 Hi!Welcome to Malwarebytes' Support Forums! I am Blackbird and I will help you removing any malware that might be present on your computer.An important WARNING to all individuals reading this topic:All advice in this topic was given specifically for this user and this computer!! Performing instructions given by me in this topic on other computers may harm your computer's infrastructure and can cause serious damage to them!!Please don't perform the steps given by me or other Helpers in this topic when you are not the original Topic Starter, but start your own topic with a question for help. You will get help from a trained and qualified Helper to clean up your computer from any present malware when you do so.General rules:From now on, don't use this computer anymore to access your bank account or any other serious business where you have to login for, untill I've told you your computer is clean from malware. Be patient waiting for my answer. I'm doing the best I can to answer to logs as soon as possible, but I'm handling multiple topics at the same time. Please feel free to remind me of your topic by sending a link to it by private message, when I didn't get back to you after 24 hours. Don't change anything on your computer in the period I'm helping you, except when I tell you to do so. So don't add/remove any software (programs, drivers, etc.) and don't change any hardware. If you really need to change something that can't wait, please inform me directly, by posting it in this topic or - if private - send me a private message containing an explanation of the changes made by you. This gives me the possibility to give you good advice.Rules about advices from me:The Helpers active on this board first got a full training in removing malware and providing support to people who got infected. Also they were trained to resolve any problems caused by malware infections. Please use the programs I provide to you only when under supervision of a trained Helper. This, because using these programs without supervision can cause damage to your computer. It's possible that your virus scanner, anti-spyware program or any other malware protection program or policy tries to block one or more of the programs provided by us. If that is the case, please always allow those programs to run and/or allow the provided changes to be made. If needed to run our tools properly, temporarily disable your anti-malware programs. Always Save tools provided by me to your Desktop, unless I give you other instructions. Don't ever run tools directly from the internet, because this can stop them from working properly. Also never save tools to any other locations than your Desktop. If you have any problems while following my instructions, stop there and tell me the exact nature of the issue. Perform everything in the correct order. Sometimes one step requires the previous one. You can check here if you're not sure if your computer is 32-bit or 64-bit.Rules about posting results:Always copy/paste the logfiles in your replies completely. If a logfile doesn't fit into one post, please add the logfile as an attachment instead. If this still won't work, please inform me. Never change something in the logfiles!! Include them in your posts as they were provided by the tools. This way I'll get a clear view on your system's situation. If you change the logfiles, it will take more time to clean up your computer. Don't post logs using CODE, QUOTE or FONT tags. Just post them as direct text.Things I want you to do before performing the steps below:Please enable your system to show hidden files: How to see hidden files in Windows. Make sure you're subscribed to this topic. Click on the Follow This Topic button at the top right of this page, make sure that the Receive Notification box is checked and that it is set to Instantly. Even though we do the best we can to help you, removing malware includes risks. Therefor I advise you to back-up all of your important files to a CD/DVD, external drive or flash drive. For instructions/help, take a look here.-------------------------------------------------------------------------------------------------------------------------------------------------------Thanks in advance for keeping above rules in mind. Maybe they look like unnecessary rules, but practice teaches us they are needed to help.Now, let's continue with the steps you need to do:-------------------------------------------------------------------------------------------------------------------------------------------------------1. We need to temporarily disable any cd-emulators active on your computer, as they can impede the interpretation of logfiles provided by our tools.Download Defogger and save it to your Desktop. Right-click Defogger.exe and select Run as Administrator. When the program has opened, click the Disable button. When Defogger asks for a confirmation, click Yes. Wait untill you get the "Finished" message. Click OK. When Defogger asks you to restart the system, please allow the program to do so immediately.When an error occured while using Defogger, look for a file called "defogger_disable.txt", which should be located at your Desktop. Post the contents of this file into your next reply. You can enable the cd-emulator software again by running Defogger again and clicking the "Re-enable" button. Only do this when I told you your computer is clean again. 2. Go to Start > Control Panel.Once Control Panel has opened, please click Uninstall a program.Please delete the following programme, because it's related to malware:Battle.net[*]Please also delete the following programme, because it's a very outdated version:Java 7 Update 71I also advise you to delete the following programme, as it may harm your privacy by keeping logs on your browsing behaviour:Yahoo! Toolbar 3. Download RKill and save it to your Desktop.Right-click RKill.exe and select Run as Administrator.... If a Windows Security prompt shows up, please allow the program to start. The program will start immediately with it's tasks. When the program has finished, a logfile will appear.Please copy the contents of this logfile in your next reply.4. Download AdwCleaner and save it to your Desktop.Close all open windows. Right-click AdwCleaner.exe and select Run as Administrator. Click the Scan button. When the scan has finished, please click the Report button and save the logfile that opens to the Desktop. Post the contents of this logfile into your next reply.5. Download Malwarebytes' Anti-Malware and save it to your Desktop.If you already got Malwarebytes' Anti-Malware installed on your computer, please go to step 6-A.Install the program, eventually using these instructions.6-A. Start Malwarebytes' Anti-Malware.On the Dashboard tab, click the Update Now button, to update the definitions to the latest version. Then click the Scan tab. Select Custom Scan and click the Start Scan button. In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan. Follow the instructions given by Malwarebytes' Anti-Malware. If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items. It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately. Save the logfile in txt-format and copy/paste it in your next reply. Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).7. Download fixlist.txt to your Desktop. I've attached it for you (see below this message).Please make sure it's located in the same location as FRST.exe/FRST64.exe!! 8. Start Farbar Recovery Scan Tool by right-clicking it and selecting Run as Administrator.Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called fixlog.txt. Please include this logfile in your next reply. 9. Delete fixlist.txt from your Desktop. (Important!!)10. Download GMER Rootkit Scanner and save it to your Desktop.NOTE: Windows 8 users can skip this step. GMER Rootkit Scanner isn't compatible with Windows 8. Don't run it.Right-click the GMER executable file (which's name will contain 8 digits/characters) and select Run as Administrator. If GMER warns you about possible rootkit activity and asks you to scan for rootkits, DON'T allow GMER to do so. Under "Files", put a checkmark next to Quick Scan. Remove the checkmark next to Show all. Now, click the Scan button. Note: This scan often provides False Positives in the scan results. Never fix anything found by Gmer, unless I instructed you to do so! If the scan's finished, click Save and save the log to your Desktop. Post GMER's logfile into your next reply. 11. Start Farbar Recovery Scan Tool by right-clicking it and selecting Run as Administrator.Press the Scan button just once and wait. When finished FRST will generate a log on the Desktop. Please include this logfile in your next reply.12. Please provide me a detailed description of any computer problems you're facing, together with the logfiles from:DeFoggerRKillAdwCleanerMalwarebytes' Anti-MalwareFarbar Recovery Scan Tool - using fixlist.txtGmer Rootkit scannerFarbar Recovery Scan Tool - regular scanGood luck! fixlist.txt Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926144 Share Posted January 4, 2015 Thank you so much for the reply. I think I got stuck at 7. Where can I download fixlist.txt? Link to post Share on other sites More sharing options...
Blackbird Posted January 4, 2015 ID:926177 Share Posted January 4, 2015 Hi there, It's below the instructions. I added it as an attachment.If you can't find it, this is the direct link to download it. Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926184 Share Posted January 4, 2015 Hello After I downloaded "fixlist.txt". I did #8 and it gave me fixlog.txt. (I copied it) On #9, you told me to delete fixlist.txt from my desktop. Now I can't find it anywhere. I saw it on my desktop before I did #8, but after I did #8. It disappeared. Should I move on to #10 now or ?? Link to post Share on other sites More sharing options...
Blackbird Posted January 4, 2015 ID:926185 Share Posted January 4, 2015 Hi, Yes, you can move on to step 10 then. Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926197 Share Posted January 4, 2015 Everything was good from #1 to #12 except the #6. When I quarantined all of the items and it said something like all of the items have been quarantined, but then the window popped out and said "Malwarebytes has stopped responding" and when I went to check the history those items are still there. Even when I deleted them and scanned it again. Those 6 items were still there. These 6 items won't go away. These 6 items are: PUP.Optional.SystemSpeedup - This located in my C:/usersPUP.Optional.StartPoint.A - This located in my C:/usersPUP.Optional SourceApp.A - This located in my C:/Program files (x86)PUP.Optional. Managera.A - This located in my C:/usersPUP.Optional.Extutil.A - This located in my C:/usersPUP.Optional.BoBrowser.A - This located in my C:/users These are the log txts Rkill 2.6.9 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2015 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 01/03/2015 10:38:08 PM in x64 mode.Windows Version: Windows 7 Home Premium Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\Users\Nith\Downloads\Defogger (1).exe (PID: 3528) [uP-HEUR] 1 proccess terminated! Checking Registry for malware related settings: * No issues found in the Registry. Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * No issues found. Checking Windows Service Integrity: # AdwCleaner v4.106 - Report created 03/01/2015 at 22:42:32# Updated 21/12/2014 by Xplode# Database : 2015-01-03.1 [Live]# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)# Username : Nith - NITH-PC# Running from : C:\Users\Nith\Downloads\adwcleaner_4.106.exe# Option : Scan ***** [ Services ] ***** Service Found : YahooAUService ***** [ Files / Folders ] ***** File Found : C:\ENDFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorageFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_services.hearstmags.com_0.localstorage-journalFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorageFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.audienceinsights.net_0.localstorage-journalFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorageFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journalFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorageFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journalFile Found : C:\Users\Nith\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journalFile Found : C:\Users\Nith\Desktop\Live PC Help.lnkFile Found : C:\Windows\System32\roboot64.exeFolder Found : C:\ProgramData\apnFolder Found : C:\ProgramData\AskFolder Found : C:\ProgramData\blekko toolbarsFolder Found : C:\Users\Nith\AppData\Local\blekkotb_031Folder Found : C:\Users\Nith\AppData\Local\BoBrowserFolder Found : C:\Users\Nith\AppData\Local\Temp\apnFolder Found : C:\Users\Nith\AppData\Roaming\Systweak ***** [ Scheduled Tasks ] ***** Task Found : BrowserSafeguard Update Task ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}Key Found : HKCU\Software\BoBrowserKey Found : HKCU\Software\Classes\keepmysearchKey Found : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\apnwidgets.ask.comKey Found : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.comKey Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\apnwidgets.ask.comKey Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.comKey Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33B368EE-CBB1-49FB-A1A5-2957BC381457}Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Found : HKCU\Software\systweakKey Found : [x64] HKCU\Software\BoBrowserKey Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33B368EE-CBB1-49FB-A1A5-2957BC381457}Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}Key Found : [x64] HKCU\Software\systweakKey Found : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}Key Found : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}Key Found : HKLM\SOFTWARE\ClaraKey Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLLKey Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}Key Found : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}Key Found : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}Key Found : HKLM\SOFTWARE\Classes\CLSID\{8769ADCE-DBA5-48E9-AFB5-67B12CDF2E61}Key Found : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}Key Found : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}Key Found : HKLM\SOFTWARE\Classes\speedupmypcKey Found : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}Key Found : HKLM\SOFTWARE\systweakKey Found : HKLM\SOFTWARE\UniblueKey Found : HKLM\SOFTWARE\Uniblue\DriverScannerKey Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82EKey Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FAKey Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CCKey Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EAKey Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0EKey Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDFKey Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65EValue Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}] ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17496 -\\ Mozilla Firefox v -\\ Google Chrome v39.0.2171.95 -\\ Chromium v ************************* AdwCleaner[R0].txt - [7831 octets] - [03/01/2015 22:42:32] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [7891 octets] ########## Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926198 Share Posted January 4, 2015 Malwarebytes Anti-Malwarewww.malwarebytes.org Update, 1/3/2015 11:42:23 AM, SYSTEM, NITH-PC, Manual, Rootkit Database, 2014.11.18.1, 2014.12.30.1, Update, 1/3/2015 11:42:23 AM, SYSTEM, NITH-PC, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1, Update, 1/3/2015 11:42:38 AM, SYSTEM, NITH-PC, Manual, Malware Database, 2014.11.20.6, 2015.1.3.7, Protection, 1/3/2015 11:43:45 AM, SYSTEM, NITH-PC, Protection, Malware Protection, Starting, Protection, 1/3/2015 11:43:45 AM, SYSTEM, NITH-PC, Protection, Malware Protection, Started, Protection, 1/3/2015 11:43:45 AM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 11:43:46 AM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Update, 1/3/2015 12:37:17 PM, SYSTEM, NITH-PC, Scheduler, Malware Database, 2015.1.3.7, 2015.1.3.8, Protection, 1/3/2015 12:37:17 PM, SYSTEM, NITH-PC, Protection, Refresh, Starting, Protection, 1/3/2015 12:37:17 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopping, Protection, 1/3/2015 12:37:17 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopped, Protection, 1/3/2015 12:37:20 PM, SYSTEM, NITH-PC, Protection, Refresh, Success, Protection, 1/3/2015 12:37:20 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 12:37:21 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Update, 1/3/2015 1:01:14 PM, SYSTEM, NITH-PC, Scheduler, Malware Database, 2015.1.3.8, 2015.1.3.9, Protection, 1/3/2015 1:01:14 PM, SYSTEM, NITH-PC, Protection, Refresh, Starting, Protection, 1/3/2015 1:01:14 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopping, Protection, 1/3/2015 1:01:14 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopped, Protection, 1/3/2015 1:01:18 PM, SYSTEM, NITH-PC, Protection, Refresh, Success, Protection, 1/3/2015 1:01:18 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 1:01:18 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Update, 1/3/2015 1:50:47 PM, SYSTEM, NITH-PC, Scheduler, Malware Database, 2015.1.3.9, 2015.1.3.10, Protection, 1/3/2015 1:50:47 PM, SYSTEM, NITH-PC, Protection, Refresh, Starting, Protection, 1/3/2015 1:50:47 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopping, Protection, 1/3/2015 1:50:47 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopped, Protection, 1/3/2015 1:50:51 PM, SYSTEM, NITH-PC, Protection, Refresh, Success, Protection, 1/3/2015 1:50:51 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 1:50:51 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Protection, 1/3/2015 2:44:14 PM, SYSTEM, NITH-PC, Protection, Malware Protection, Starting, Protection, 1/3/2015 2:44:14 PM, SYSTEM, NITH-PC, Protection, Malware Protection, Started, Protection, 1/3/2015 2:44:14 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 2:44:30 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Update, 1/3/2015 6:03:05 PM, SYSTEM, NITH-PC, Scheduler, Malware Database, 2015.1.3.10, 2015.1.3.12, Protection, 1/3/2015 6:03:05 PM, SYSTEM, NITH-PC, Protection, Refresh, Starting, Protection, 1/3/2015 6:03:05 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopping, Protection, 1/3/2015 6:03:05 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopped, Protection, 1/3/2015 6:03:08 PM, SYSTEM, NITH-PC, Protection, Refresh, Success, Protection, 1/3/2015 6:03:08 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 6:03:08 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Update, 1/3/2015 10:13:57 PM, SYSTEM, NITH-PC, Scheduler, Malware Database, 2015.1.3.12, 2015.1.4.4, Protection, 1/3/2015 10:13:57 PM, SYSTEM, NITH-PC, Protection, Refresh, Starting, Protection, 1/3/2015 10:13:57 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopping, Protection, 1/3/2015 10:13:57 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopped, Protection, 1/3/2015 10:14:00 PM, SYSTEM, NITH-PC, Protection, Refresh, Success, Protection, 1/3/2015 10:14:00 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 10:14:01 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, Update, 1/3/2015 10:55:18 PM, SYSTEM, NITH-PC, Scheduler, Malware Database, 2015.1.4.4, 2015.1.4.5, Protection, 1/3/2015 10:55:18 PM, SYSTEM, NITH-PC, Protection, Refresh, Starting, Protection, 1/3/2015 10:55:18 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopping, Protection, 1/3/2015 10:55:18 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Stopped, Protection, 1/3/2015 10:55:21 PM, SYSTEM, NITH-PC, Protection, Refresh, Success, Protection, 1/3/2015 10:55:21 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Starting, Protection, 1/3/2015 10:55:21 PM, SYSTEM, NITH-PC, Protection, Malicious Website Protection, Started, (end) Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926201 Share Posted January 4, 2015 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2015 03Ran by Nith at 2015-01-04 12:18:39 Run:1Running from C:\Users\Nith\DesktopLoaded Profile: Nith (Available profiles: Nith)Boot Mode: Normal============================================== Content of fixlist:*****************HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\Run: [cdloader] => C:\Users\Nith\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2013-05-06] (magicJack L.P.)HKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\MountPoints2: {00aada10-f2ef-11e1-a100-806e6f6e6963} - D:\Bin\ASSETUP.exeHKU\S-1-5-21-361318840-2708508044-1232436765-1000\...\MountPoints2: {55958e33-5ad3-11e2-8ac6-10bf48884d75} - E:\iStudio.exeCHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONProxyServer: [s-1-5-21-361318840-2708508044-1232436765-1000] => http=127.0.0.1:49247;https=127.0.0.1:49247URLSearchHook: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll No FileSearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {33B368EE-CBB1-49FB-A1A5-2957BC381457} URL = http://www.search.as...archTerms}&psv=SearchScopes: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://search.strtpo...rchTerms}&r=462Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No FileToolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)Toolbar: HKU\S-1-5-21-361318840-2708508044-1232436765-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FileTask: {BB6FA46A-607B-4AE3-9C1D-203B5EB74F2F} - System32\Tasks\StartPoint Updater => C:\Users\Nith\AppData\Local\StartPoint\startpoint\1.3.17.3\startup.exeTask: {D2CB8008-2484-4455-8418-EC305213B6AC} - System32\Tasks\StartPoint => C:\Users\Nith\AppData\Local\StartPoint\startpoint\1.3.17.3\startpoint.exeTask: {E6B516C0-0B31-4484-9FFF-BAD2D8818C7D} - \BrowserSafeguard Update Task No Task File <==== ATTENTIOND:\Bin\ASSETUP.exeE:\iStudio.exeC:\Users\Nith\AppData\Local\BoBrowserC:\Program Files (x86)\SourceAppC:\Windows\System32\Tasks\StartPointC:\Windows\System32\Tasks\StartPoint UpdaterC:\Users\Nith\AppData\Local\StartPointC:\Users\Nith\AppData\Roaming\Battle.netC:\Users\Nith\AppData\Local\Battle.netC:\Users\Nith\AppData\Local\Temp\6_Offer_14.exeC:\Users\Nith\AppData\Local\Temp\APNStub.exeC:\Users\Nith\AppData\Local\Temp\f4f2a446-6cf6-458d-b85a-dcb16e8ac472.exeC:\Users\Nith\AppData\Local\Temp\Gw2.exeC:\Users\Nith\AppData\Local\Temp\setup-Jutera_US_pscombined-bunndle-cb-1.1-x86x64_20120808.exeC:\Users\Nith\AppData\Local\Temp\setup.exeC:\Users\Nith\AppData\Local\Temp\startpoint_1.exeC:\Users\Nith\AppData\Local\Temp\startup.exeC:\Users\Nith\AppData\Local\Temp\swt-win32-3349.dllC:\Users\Nith\AppData\Local\Temp\swt-win32-3740.dllC:\Users\Nith\AppData\Local\Temp\_is2818.exeC:\Users\Nith\AppData\Local\Temp\_is3616.exeC:\Users\Nith\AppData\Local\Temp\_is4568.exeC:\Users\Nith\AppData\Local\Temp\_is4628.exeC:\Users\Nith\AppData\Local\Temp\_isA6DB.exeC:\Users\Nith\AppData\Local\Temp\_isAD6A.exeC:\Users\Nith\AppData\Local\Temp\_isD10D.exeC:\Users\Nith\AppData\Local\Temp\_isED0C.exeC:\Users\Nith\AppData\Local\StartPoint***************** HKU\S-1-5-21-361318840-2708508044-1232436765-1000\Software\Microsoft\Windows\CurrentVersion\Run\\cdloader => value deleted successfully."HKU\S-1-5-21-361318840-2708508044-1232436765-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00aada10-f2ef-11e1-a100-806e6f6e6963}" => Key deleted successfully.HKCR\CLSID\{00aada10-f2ef-11e1-a100-806e6f6e6963} => Key not found. "HKU\S-1-5-21-361318840-2708508044-1232436765-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{55958e33-5ad3-11e2-8ac6-10bf48884d75}" => Key deleted successfully.HKCR\CLSID\{55958e33-5ad3-11e2-8ac6-10bf48884d75} => Key not found. "HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.HKU\S-1-5-21-361318840-2708508044-1232436765-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.HKU\S-1-5-21-361318840-2708508044-1232436765-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} => value deleted successfully."HKCR\Wow6432Node\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}" => Key deleted successfully."HKU\S-1-5-21-361318840-2708508044-1232436765-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33B368EE-CBB1-49FB-A1A5-2957BC381457}" => Key deleted successfully.HKCR\CLSID\{33B368EE-CBB1-49FB-A1A5-2957BC381457} => Key not found. "HKU\S-1-5-21-361318840-2708508044-1232436765-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}" => Key deleted successfully.HKCR\CLSID\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} => Key not found. "HKU\S-1-5-21-361318840-2708508044-1232436765-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{859AEACA-EA0E-45DB-9B8C-B67362AA98A2}" => Key deleted successfully.HKCR\CLSID\{859AEACA-EA0E-45DB-9B8C-B67362AA98A2} => Key not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value deleted successfully.HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Value not found.HKCR\Wow6432Node\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Key not found. HKU\S-1-5-21-361318840-2708508044-1232436765-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BB6FA46A-607B-4AE3-9C1D-203B5EB74F2F}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BB6FA46A-607B-4AE3-9C1D-203B5EB74F2F}" => Key deleted successfully.C:\Windows\System32\Tasks\StartPoint Updater => Moved successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\StartPoint Updater" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D2CB8008-2484-4455-8418-EC305213B6AC}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D2CB8008-2484-4455-8418-EC305213B6AC}" => Key deleted successfully.C:\Windows\System32\Tasks\StartPoint => Moved successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\StartPoint" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E6B516C0-0B31-4484-9FFF-BAD2D8818C7D}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E6B516C0-0B31-4484-9FFF-BAD2D8818C7D}" => Key deleted successfully."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BrowserSafeguard Update Task" => Key deleted successfully."D:\Bin\ASSETUP.exe" => File/Directory not found."E:\iStudio.exe" => File/Directory not found.C:\Users\Nith\AppData\Local\BoBrowser => Moved successfully.C:\Program Files (x86)\SourceApp => Moved successfully."C:\Windows\System32\Tasks\StartPoint" => File/Directory not found."C:\Windows\System32\Tasks\StartPoint Updater" => File/Directory not found.C:\Users\Nith\AppData\Local\StartPoint => Moved successfully.C:\Users\Nith\AppData\Roaming\Battle.net => Moved successfully.C:\Users\Nith\AppData\Local\Battle.net => Moved successfully.C:\Users\Nith\AppData\Local\Temp\6_Offer_14.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\APNStub.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\f4f2a446-6cf6-458d-b85a-dcb16e8ac472.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\Gw2.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\setup-Jutera_US_pscombined-bunndle-cb-1.1-x86x64_20120808.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\setup.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\startpoint_1.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\startup.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\swt-win32-3349.dll => Moved successfully.C:\Users\Nith\AppData\Local\Temp\swt-win32-3740.dll => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_is2818.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_is3616.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_is4568.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_is4628.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_isA6DB.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_isAD6A.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_isD10D.exe => Moved successfully.C:\Users\Nith\AppData\Local\Temp\_isED0C.exe => Moved successfully."C:\Users\Nith\AppData\Local\StartPoint" => File/Directory not found. ==== End of Fixlog 12:18:41 ==== Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926204 Share Posted January 4, 2015 GMER 2.1.19357 - http://www.gmer.netRootkit scan 2015-01-04 12:42:24Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465.76GBRunning: ks2ryfvi.exe; Driver: C:\Users\Nith\AppData\Local\Temp\kxldqpow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031b6000 45 bytes [00, 00, 1E, 02, 4D, 6D, 43, ...]INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031b602f 16 bytes [00, 03, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\services.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\lsass.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926206 Share Posted January 4, 2015 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000100070460.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000100070450.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000100070370.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000100070470.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 00000001000703e0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000100070320.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 00000001000703b0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000100070390.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 00000001000702e0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 00000001000702d0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000100070310.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 00000001000703c0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 00000001000703f0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000100070230.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000100070480.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 00000001000703a0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 00000001000702f0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000100070350.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000100070290.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 00000001000702b0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 00000001000703d0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000100070330.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000100070410.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000100070240.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 00000001000701e0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000100070250.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000100070490.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 00000001000704a0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000100070300.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000100070360.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 00000001000702a0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 00000001000702c0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000100070380.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000100070340.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000100070440 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926208 Share Posted January 4, 2015 .text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000100070260.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000100070270.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000100070400.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 00000001000701f0.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000100070210.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000100070200.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000100070420.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000100070430.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000100070220.text C:\Windows\System32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000100070280.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926210 Share Posted January 4, 2015 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926211 Share Posted January 4, 2015 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000100070460.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000100070450.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000100070370.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000100070470.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 00000001000703e0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000100070320.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 00000001000703b0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000100070390.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 00000001000702e0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 00000001000702d0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000100070310.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 00000001000703c0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 00000001000703f0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000100070230.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000100070480.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 00000001000703a0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 00000001000702f0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000100070350.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000100070290.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 00000001000702b0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 00000001000703d0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000100070330.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000100070410.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000100070240.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 00000001000701e0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000100070250.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000100070490.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 00000001000704a0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000100070300.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000100070360.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 00000001000702a0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 00000001000702c0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000100070380.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000100070340.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000100070440.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000100070260.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000100070270.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000100070400.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 00000001000701f0.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000100070210.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000100070200.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000100070420.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000100070430.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000100070220.text C:\Windows\system32\svchost.exe[1724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000100070280.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926214 Share Posted January 4, 2015 .text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\Explorer.EXE[3440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[4712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4228] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076028791 8 bytes [31, C0, C2, 04, 00, 90, 90, Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926216 Share Posted January 4, 2015 ...].text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926219 Share Posted January 4, 2015 .text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\wbem\wmiprvse.exe[4444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000100070460.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000100070450.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000100070370.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000100070470.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 00000001000703e0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000100070320.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 00000001000703b0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000100070390.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 00000001000702e0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 00000001000702d0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000100070310.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 00000001000703c0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 00000001000703f0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000100070230.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000100070480.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 00000001000703a0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 00000001000702f0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000100070350.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000100070290.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 00000001000702b0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 00000001000703d0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000100070330.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000100070410.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000100070240.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 00000001000701e0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000100070250.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000100070490.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 00000001000704a0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000100070300.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000100070360.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 00000001000702a0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 00000001000702c0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000100070380.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000100070340.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000100070440.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000100070260.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000100070270.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000100070400.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 00000001000701f0.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000100070210.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000100070200.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000100070420.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000100070430.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000100070220.text C:\Windows\system32\SearchIndexer.exe[4728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000100070280.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926220 Share Posted January 4, 2015 .text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\System32\svchost.exe[5484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077381465 2 bytes [38, 77].text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[6052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773814bb 2 bytes [38, 77] Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926223 Share Posted January 4, 2015 .text ... * 2? C:\Windows\system32\mssprxy.dll [6052] entry point in ".rdata" section 000000006e3f71e6.text C:\ProgramData\FLEXnet\Connect\11\agent.exe[7064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077381465 2 bytes [38, 77].text C:\ProgramData\FLEXnet\Connect\11\agent.exe[7064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000773814bb 2 bytes [38, 77].text ... * 2.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Users\Nith\Desktop\FRST64.exe[7520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926226 Share Posted January 4, 2015 .text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Windows\system32\notepad.exe[5896] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c61360 5 bytes JMP 0000000077dc0460.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c613b0 5 bytes JMP 0000000077dc0450.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c61510 5 bytes JMP 0000000077dc0370.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c61560 5 bytes JMP 0000000077dc0470.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c61570 5 bytes JMP 0000000077dc03e0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c61620 5 bytes JMP 0000000077dc0320.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c61650 5 bytes JMP 0000000077dc03b0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c61670 5 bytes JMP 0000000077dc0390.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c616b0 5 bytes JMP 0000000077dc02e0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c61730 5 bytes JMP 0000000077dc02d0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c61750 5 bytes JMP 0000000077dc0310.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c61790 5 bytes JMP 0000000077dc03c0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c617e0 5 bytes JMP 0000000077dc03f0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c61940 5 bytes JMP 0000000077dc0230.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c61b00 5 bytes JMP 0000000077dc0480.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c61b30 5 bytes JMP 0000000077dc03a0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c61c10 5 bytes JMP 0000000077dc02f0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c61c20 5 bytes JMP 0000000077dc0350.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c61c80 5 bytes JMP 0000000077dc0290.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c61d10 5 bytes JMP 0000000077dc02b0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c61d30 5 bytes JMP 0000000077dc03d0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c61d40 5 bytes JMP 0000000077dc0330.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c61db0 5 bytes JMP 0000000077dc0410.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c61de0 5 bytes JMP 0000000077dc0240.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c620a0 5 bytes JMP 0000000077dc01e0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c62160 5 bytes JMP 0000000077dc0250.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c62190 5 bytes JMP 0000000077dc0490.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c621a0 5 bytes JMP 0000000077dc04a0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c621d0 5 bytes JMP 0000000077dc0300.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c621e0 5 bytes JMP 0000000077dc0360.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c62240 5 bytes JMP 0000000077dc02a0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c62290 5 bytes JMP 0000000077dc02c0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c622c0 5 bytes JMP 0000000077dc0380.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c622d0 5 bytes JMP 0000000077dc0340.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c625c0 5 bytes JMP 0000000077dc0440.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c627c0 5 bytes JMP 0000000077dc0260.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c627d0 5 bytes JMP 0000000077dc0270.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c627e0 5 bytes JMP 0000000077dc0400.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c629a0 5 bytes JMP 0000000077dc01f0.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c629b0 5 bytes JMP 0000000077dc0210.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c62a20 5 bytes JMP 0000000077dc0200.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c62a80 5 bytes JMP 0000000077dc0420.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c62a90 5 bytes JMP 0000000077dc0430.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c62aa0 5 bytes JMP 0000000077dc0220.text C:\Program Files\Windows NT\Accessories\wordpad.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c62b80 5 bytes JMP 0000000077dc0280 Link to post Share on other sites More sharing options...
Sinith Posted January 4, 2015 Author ID:926228 Share Posted January 4, 2015 ---- Threads - GMER 2.1 ---- Thread C:\Windows\SysWOW64\ntdll.dll [1004:1008] 0000000000fb5817Thread C:\Windows\SysWOW64\ntdll.dll [1004:1012] 0000000000fb4d99Thread C:\Windows\SysWOW64\ntdll.dll [1004:1016] 0000000000fb4d99Thread C:\Windows\System32\svchost.exe [1044:4448] 000007fef45744e0Thread C:\Windows\System32\svchost.exe [1044:2140] 000007feec303efcThread C:\Windows\System32\svchost.exe [1044:2940] 000007feecfa8a4cThread C:\Windows\System32\svchost.exe [1044:6332] 000007fef47688f8Thread C:\Windows\system32\svchost.exe [1228:1416] 000007fefb808274Thread C:\Windows\system32\svchost.exe [1228:4088] 000007fefb808274Thread C:\Windows\System32\spoolsv.exe [1696:2716] 000007fef32d10c8Thread C:\Windows\System32\spoolsv.exe [1696:2724] 000007fef3296144Thread C:\Windows\System32\spoolsv.exe [1696:2728] 000007fef40e5fd0Thread C:\Windows\System32\spoolsv.exe [1696:2732] 000007fef3ed3438Thread C:\Windows\System32\spoolsv.exe [1696:2736] 000007fef40e63ecThread C:\Windows\System32\spoolsv.exe [1696:2744] 000007fef3375e5cThread C:\Windows\System32\spoolsv.exe [1696:2748] 000007fef33a5074Thread C:\Windows\System32\spoolsv.exe [1696:3040] 000007fef3412288Thread C:\Windows\System32\spoolsv.exe [1696:3000] 000007fef3328760Thread C:\Windows\SysWOW64\ntdll.dll [1112:1092] 00000000001e7c7eThread C:\Windows\SysWOW64\ntdll.dll [1444:1424] 0000000000251344Thread C:\Windows\SysWOW64\ntdll.dll [1444:1948] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1952] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1984] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1988] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1992] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1996] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1980] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1972] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1976] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1968] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1444:1964] 00000000001efdc0Thread C:\Windows\SysWOW64\ntdll.dll [1804:1808] 00000000010ba4c0Thread C:\Windows\SysWOW64\ntdll.dll [1804:2684] 000000000103de40Thread C:\Windows\SysWOW64\ntdll.dll [1804:2780] 0000000001042d80Thread C:\Windows\SysWOW64\ntdll.dll [1804:2900] 000000000107b340Thread C:\Windows\SysWOW64\ntdll.dll [1804:9128] 0000000001083d70Thread C:\Windows\SysWOW64\ntdll.dll [1804:7796] 0000000001083f30Thread C:\Windows\SysWOW64\ntdll.dll [1804:10180] 0000000001083d70Thread C:\Windows\SysWOW64\ntdll.dll [1804:7792] 0000000001083f30Thread C:\Windows\SysWOW64\ntdll.dll [1804:9004] 0000000001083d70Thread C:\Windows\SysWOW64\ntdll.dll [1804:5268] 0000000001083f30Thread C:\Windows\SysWOW64\ntdll.dll [1804:3256] 0000000001083d70Thread C:\Windows\SysWOW64\ntdll.dll [1804:9496] 0000000001083f30Thread C:\Windows\system32\svchost.exe [2272:2360] 00000000003ba988Thread C:\Windows\system32\svchost.exe [2272:3020] 000007fefb3fa850Thread C:\Windows\SysWOW64\ntdll.dll [2492:2496] 0000000000442327Thread C:\Windows\system32\taskhost.exe [3388:4068] 000007fef2ac1f38Thread C:\Windows\system32\taskhost.exe [3388:3408] 000007fef2212740Thread C:\Windows\system32\taskhost.exe [3388:3592] 000007fefb3f1010Thread C:\Windows\system32\taskhost.exe [3388:6232] 000007feefd95170Thread C:\Windows\system32\Dwm.exe [3468:3260] 000007fef1e1abf0Thread C:\Program Files\Microsoft IntelliPoint\ipoint.exe [4320:5828] 000007feea613774Thread C:\Program Files\Microsoft IntelliPoint\ipoint.exe [4320:1540] 000007feea837498Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4384:5340] 000007fefc1d2bf8Thread C:\Windows\SysWOW64\ntdll.dll [5584:4116] 0000000000fb2f9eThread C:\Windows\SysWOW64\ntdll.dll [3716:2116] 00000000012be311Thread C:\Windows\SysWOW64\ntdll.dll [7100:7104] 0000000001219032Thread C:\Program Files\Windows NT\Accessories\wordpad.exe [8744:4040] 000000006d5931c0Thread C:\Program Files\Windows NT\Accessories\wordpad.exe [9032:8420] 000000006d5931c0Thread C:\Program Files\Windows NT\Accessories\wordpad.exe [6956:9160] 000000006d5931c0 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Nith\AppData\Local\Logitech\xae Webcam Software\Logishrd\LU2.0\LogitechUpdate.exe 1 Link to post Share on other sites
Recommended Posts