Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Happili.com Google Results Redirect


  • This topic is locked This topic is locked
22 replies to this topic

#1 lax01

lax01

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 24 April 2012 - 12:40 PM

Already run Combofix, TFC, tdsskiller, and FiXTDSS but I believe I am still being intermittently and randomly redirected to Happili.com from Google Search Results.

Have also tried the usual suspects with little to no help (McAfee, MalwareBytes, Adware, etc)

Have also tried uninstalling and reinstalling Firefox 11 (and literally just upgraded to Firefox 12) - was not a clean-install though. (Do not use Google on IE so I do not know if this is occurring there).


HiJackThis Log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:36:14 AM, on 4/24/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ThinkPad\Utilities\TPHKMGR.EXE
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\taskeng.exe
C:\Users\ctsuser.CTSNJY18384\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.na.mattel.com/CookieAuth.dll?GetLogon?reason=2&formdir=5&curl=Z2Fowa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110614034914.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKCU\..\Run: [OfficeSyncProcess] "C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} (CSD ActiveX Installer) - https://vpnes.mattel.com/CACHE/sdesktop/install/binaries/instweb.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognizant.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @C:\Windows\system32\CxAudMsg32.exe,-100 (CxAudMsg) - Conexant Systems Inc. - C:\Windows\system32\CxAudMsg32.exe
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: Intel® Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files\Intel\Services\IPT\jhi_service.exe
O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Cisco EnergyWise Enabler (PwmEWSvc) - Lenovo Group Limited - C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Conexant SmartAudio service (SAService) - Conexant Systems, Inc. - C:\Windows\system32\SAsrv.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe

--
End of file - 7824 bytes


DDS Log:


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by at 10:37:45 on 2012-04-24
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3493.1975 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\CxAudMsg32.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\SAsrv.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Windows\system32\CCM\CcmExec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ThinkPad\Utilities\TPHKMGR.EXE
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://mail.na.mattel.com/CookieAuth.dll?GetLogon?reason=2&formdir=5&curl=Z2Fowa
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110614034914.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [TpHotkey] c:\progra~1\thinkpad\utilit~1\tphkmgr.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://vpnes.mattel.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://cognizant.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 216.52.254.1 216.52.254.33
TCP: Interfaces\{6942CD59-420B-42F8-98AF-92E9079B8145} : DhcpNameServer = 4.2.2.2 4.2.2.3
TCP: Interfaces\{6942CD59-420B-42F8-98AF-92E9079B8145}\7445D205279667164756 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9320FF03-6500-4AD7-BA08-3A85D3AE6B18} : DhcpNameServer = 216.52.254.1 216.52.254.33
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ctsuser.ctsnjy18384\appdata\roaming\mozilla\firefox\profiles\t6d4leru.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\ctsuser.ctsnjy18384\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-10-13 25968]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-6-14 436728]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-6-14 162928]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2012-1-13 77760]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-6-14 13680]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-4-18 221784]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-4-18 78936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg32.exe [2012-1-19 190592]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-2-7 210896]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\communications utility\CamMute.exe [2011-10-13 40808]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\lenovo\communications utility\TPKNRSVC.exe [2011-10-13 59240]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-14 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-14 145936]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-10-13 148840]
R2 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [2011-6-14 75264]
R2 SAService;Conexant SmartAudio service;c:\windows\system32\SASrv.exe [2012-1-19 446592]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-6-13 2656280]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c6232.sys [2011-6-14 238760]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-11-20 270336]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-6-13 41088]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-14 171296]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-14 58456]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-5-1 7513088]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-4-18 69208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2011-6-13 132096]
S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-15 45352]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-20 29472]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-9-27 62464]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-10-13 292200]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-1-20 132480]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2011-1-20 126064]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-14 85152]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2011-10-13 83304]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-9-27 15872]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2011-4-9 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2011-4-9 38912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-3-9 1006624]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-4-18 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-4-18 94040]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-9-27 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-9-27 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-9-27 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2011-9-27 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-9-27 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-20 1343400]
S4 enstart;enstart;c:\windows\system32\enstart.exe [2012-1-13 929792]
.
=============== Created Last 30 ================
.
2012-04-24 06:05:29 6273872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-04-24 06:05:27 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b357f1fe-9710-482c-aef3-3b5b9510d2f4}\mpengine.dll
2012-04-24 04:10:44 -------- d-----w- c:\users\ctsuser.ctsnjy18384\appdata\roaming\Malwarebytes
2012-04-24 04:10:38 -------- d-----w- c:\programdata\Malwarebytes
2012-04-24 04:10:37 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-24 04:10:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-24 00:08:15 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-04-21 01:07:51 -------- d-sh--w- C:\$RECYCLE.BIN
2012-04-21 01:06:49 -------- d-----w- c:\users\ctsuser.ctsnjy18384\appdata\local\temp
2012-04-21 01:01:37 98816 ----a-w- c:\windows\sed.exe
2012-04-21 01:01:37 518144 ----a-w- c:\windows\SWREG.exe
2012-04-21 01:01:37 256000 ----a-w- c:\windows\PEV.exe
2012-04-21 01:01:37 208896 ----a-w- c:\windows\MBR.exe
2012-04-19 16:14:48 11215 ----a-w- c:\windows\system32\drivers\TPHKDRV.SYS
2012-04-19 16:14:43 306688 ----a-w- c:\windows\IsUninst.exe
2012-04-19 00:59:53 33080 ----a-w- c:\windows\system32\drivers\psadd.sys
2012-04-18 17:09:08 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-04-18 17:09:07 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-04-18 17:09:03 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-04-18 17:09:02 221784 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-04-18 16:56:58 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-18 16:56:58 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-18 16:56:58 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-18 16:56:58 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-18 16:56:24 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-18 16:56:24 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-18 16:52:59 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-04-18 16:52:58 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-04-18 16:52:55 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-18 16:52:54 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-18 16:52:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-18 16:52:35 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-18 16:52:35 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-18 16:52:34 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-18 16:52:34 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-10 02:25:13 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 01:34:25 -------- d-----w- c:\users\ctsuser.ctsnjy18384\appdata\local\{7730191F-8261-11E1-826D-B8AC6F996F26}
2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-04-17 02:51:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-28 05:38:52 981504 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 03:52:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 17:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 19:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 10:38:02.29 ===============


Any help would be very much appreciated.

Thank you

-Josh

Edited by lax01, 24 April 2012 - 03:22 PM.


BC AdBot (Login to Remove)

 


#2 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 24 April 2012 - 01:08 PM

GMER Log: (and attached)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-24 11:07:55
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.MC10
Running: 3lqx9qem.exe; Driver: C:\Users\CTSUSE~1.CTS\AppData\Local\Temp\awldqpog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C9C0098]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C9C00C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C9C00AE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C9C0084]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 832445C5 5 Bytes JMP 8C9C0088 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKey + 13C1 83256359 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8328FD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!NtMapViewOfSection 8345F512 7 Bytes JMP 8C9C009C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 83473BCD 5 Bytes JMP 8C9C00C6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8347D85A 5 Bytes JMP 8C9C00B2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? C:\Users\CTSUSE~1.CTS\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !
? C:\Users\CTSUSE~1.CTS\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
.text autochk.exe 002111D2 1 Byte [54]
.text autochk.exe 002111D2 3 Bytes [54, 00, 65]
.text autochk.exe 002111D6 1 Byte [6D]
.text autochk.exe 002111D6 3 Bytes [6D, 00, 70]
.text autochk.exe 002111DC 1 Byte [54]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[576] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 002C0000
.text C:\Windows\system32\services.exe[576] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 002C0036
.text C:\Windows\system32\services.exe[576] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 002C0011
.text C:\Windows\system32\services.exe[576] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 002B0F3F
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 002B00A8
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 002B008D
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 002B0025
.text C:\Windows\system32\services.exe[576] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 002B0F7C
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 002B004A
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 002B0F8D
.text C:\Windows\system32\services.exe[576] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 002B0EEE
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 002B0FB9
.text C:\Windows\system32\services.exe[576] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 002B0F2E
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 002B0FEF
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 002B0000
.text C:\Windows\system32\services.exe[576] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 002B0FA8
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 002B0F50
.text C:\Windows\system32\services.exe[576] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 002B0FCA
.text C:\Windows\system32\services.exe[576] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 002B0F13
.text C:\Windows\system32\services.exe[576] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 002B0F61
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00AD0000
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00AD0FA6
.text C:\Windows\system32\services.exe[576] msvcrt.dll!system 75C7B177 5 Bytes JMP 00AD0FB7
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 00AD001D
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00AD0FC8
.text C:\Windows\system32\services.exe[576] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 00AD0FE3
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 002D0000
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 002D0FD1
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 002D0058
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 002D0FB6
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 002D0011
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 002D0FA5
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 002D003D
.text C:\Windows\system32\services.exe[576] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 002D0022
.text C:\Windows\system32\services.exe[576] WS2_32.dll!socket 75943EB8 5 Bytes JMP 002E0000
.text C:\Windows\system32\lsass.exe[592] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 001A0000
.text C:\Windows\system32\lsass.exe[592] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\lsass.exe[592] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 001A001B
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00190073
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 00190F1B
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 001900B0
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00190011
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00190F76
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 0019003D
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00190058
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 001900D5
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 0019002C
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00190084
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00190000
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00190FE5
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00190FA5
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00190F4A
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00190FC0
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 00190095
.text C:\Windows\system32\lsass.exe[592] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00190F65
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00880000
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 0088006B
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!system 75C7B177 5 Bytes JMP 0088005A
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 0088002E
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 0088003F
.text C:\Windows\system32\lsass.exe[592] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 0088001D
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 001B0040
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 001B006C
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 001B0051
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 001B000A
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 001B0FAF
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 001B0025
.text C:\Windows\system32\lsass.exe[592] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 001B0FD4
.text C:\Windows\system32\lsass.exe[592] WS2_32.dll!socket 75943EB8 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[708] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 002E000A
.text C:\Windows\system32\svchost.exe[708] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 002E0036
.text C:\Windows\system32\svchost.exe[708] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 002E001B
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 002D0F5B
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 002D0F00
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 002D009F
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 002D0011
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 002D004E
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 002D003D
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 002D0F80
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 002D0EEF
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 002D0F9B
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 002D0F4A
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 002D0FCA
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 002D0022
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 002D007A
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 002D0F25
.text C:\Windows\system32\svchost.exe[708] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 002D005F
.text C:\Windows\system32\svchost.exe[708] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00310000
.text C:\Windows\system32\svchost.exe[708] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00310049
.text C:\Windows\system32\svchost.exe[708] msvcrt.dll!system 75C7B177 5 Bytes JMP 00310FC8
.text C:\Windows\system32\svchost.exe[708] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 0031002E
.text C:\Windows\system32\svchost.exe[708] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00310FD9
.text C:\Windows\system32\svchost.exe[708] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 0031001D
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 002F0FC0
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 002F0F94
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 002F0FA5
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 002F0011
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 002F0F79
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 002F0022
.text C:\Windows\system32\svchost.exe[708] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 002F0FD1
.text C:\Windows\system32\svchost.exe[708] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00300000
.text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 003B000A
.text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 003B0FD4
.text C:\Windows\system32\svchost.exe[828] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 003B0FEF
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 002D006F
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 002D00AC
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 002D0F17
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 002D0FC0
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 002D0F61
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 002D0F83
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 002D0F72
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 002D00BD
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 002D0FA5
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 002D0080
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 002D0011
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 002D0F94
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 002D0F46
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 002D0FDB
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 002D0091
.text C:\Windows\system32\svchost.exe[828] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 002D0054
.text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_open 75C47E48 5 Bytes JMP 0042000C
.text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00420FCA
.text C:\Windows\system32\svchost.exe[828] msvcrt.dll!system 75C7B177 5 Bytes JMP 0042005F
.text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 00420033
.text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 0042004E
.text C:\Windows\system32\svchost.exe[828] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 00420FEF
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 003C0000
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 003C0FA5
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 003C002C
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 003C0F8A
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 003C0FE5
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 003C0F79
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 003C0FC0
.text C:\Windows\system32\svchost.exe[828] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 003C001B
.text C:\Windows\system32\svchost.exe[828] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00410000
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00A00000
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00A00011
.text C:\Windows\System32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00A00FE5
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 009F0076
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 009F00BD
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 009F00AC
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 009F000A
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 009F0F72
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 009F0F83
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 009F0040
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 009F0F03
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 009F0F9E
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 009F0087
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 009F0FD4
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 009F0FE5
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 009F0025
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 009F0F4D
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 009F0FB9
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 009F0F32
.text C:\Windows\System32\svchost.exe[888] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 009F005B
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00AB0FE3
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00AB002C
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!system 75C7B177 5 Bytes JMP 00AB0FA1
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 00AB0011
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00AB0FBC
.text C:\Windows\System32\svchost.exe[888] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 00AB0000
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00A1000A
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00A1002C
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 00A10047
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00A10FA5
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 00A10FEF
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 00A10F8A
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 00A1001B
.text C:\Windows\System32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00A10FCA
.text C:\Windows\System32\svchost.exe[888] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00A60FE5
.text C:\Windows\System32\svchost.exe[920] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00AE0FEF
.text C:\Windows\System32\svchost.exe[920] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00AE0FD4
.text C:\Windows\System32\svchost.exe[920] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00AE0014
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00A90F46
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 00A900A5
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00A90F10
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00A90FCA
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00A90F83
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00A90FA5
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00A90F94
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00A90EF5
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00A90036
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00A90F2B
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00A90FEF
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00A9000A
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00A90047
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00A90F61
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00A90025
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 00A9008A
.text C:\Windows\System32\svchost.exe[920] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00A90F72
.text C:\Windows\System32\svchost.exe[920] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00BD0FE3
.text C:\Windows\System32\svchost.exe[920] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00BD0F90
.text C:\Windows\System32\svchost.exe[920] msvcrt.dll!system 75C7B177 5 Bytes JMP 00BD001B
.text C:\Windows\System32\svchost.exe[920] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 00BD0FC6
.text C:\Windows\System32\svchost.exe[920] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00BD0FB5
.text C:\Windows\System32\svchost.exe[920] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 00BD0000
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00AF000A
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00AF0FDE
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 00AF0076
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00AF0065
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 00AF0025
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 00AF0091
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 00AF0FEF
.text C:\Windows\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00AF0036
.text C:\Windows\System32\svchost.exe[920] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00B80FEF
.text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00CE000A
.text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00CE0FE5
.text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00CE001B
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00CD0F3C
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 00CD0EE4
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00CD0EFF
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00CD0025
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00CD0F83
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00CD0F9E
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00CD005B
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00CD0094
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00CD0040
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00CD0F21
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00CD0FDE
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00CD0FAF
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00CD0F4D
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00CD0014
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 00CD0F10
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00CD0F5E
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_open 75C47E48 5 Bytes JMP 012B0000
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 012B0FBE
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!system 75C7B177 5 Bytes JMP 012B003F
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 012B002E
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 012B0FD9
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 012B001D
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00C80FE5
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00C80F97
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 00C80028
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00C80F86
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 00C80FD4
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 00C80F6B
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 00C80FB2
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00C80FC3
.text C:\Windows\system32\svchost.exe[948] WS2_32.dll!socket 75943EB8 5 Bytes JMP 01120000
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00370FE5
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00370FD4
.text C:\Windows\system32\svchost.exe[1184] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00370000
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 0036006F
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 003600A5
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00360F10
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 75AA2D47 3 Bytes JMP 0036002F
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW + 4 75AA2D4B 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 0036004A
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00360F97
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00360F7C
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00360EF5
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00360FC3
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00360F2B
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00360FEF
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 0036000A
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00360FA8
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00360F3C
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00360FDE
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 0036008A
.text C:\Windows\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00360F57
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00390FEF
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00390FBC
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!system 75C7B177 5 Bytes JMP 0039003D
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 00390FCD
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00390022
.text C:\Windows\system32\svchost.exe[1184] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 00390FDE
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00180039
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 00180FB2
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00180054
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 0018006F
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 00180FC3
.text C:\Windows\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00180FDE
.text C:\Windows\system32\svchost.exe[1184] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00380FE5
.text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 01970FEF
.text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 01970011
.text C:\Windows\system32\svchost.exe[1268] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 01970000
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 01910080
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 01910F17
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 01910F32
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 01910FC0
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 01910F72
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 01910F9E
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 01910F8D
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 01910EFC
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 0191002C
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 0191009B
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 0191001B
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 01910000
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 01910FAF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 0191006F
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 01910FE5
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 019100AC
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 01910F61
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_open 75C47E48 5 Bytes JMP 01920FEF
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 0192003D
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!system 75C7B177 5 Bytes JMP 01920FB2
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 01920018
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 01920FC3
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 01920FDE
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 016F0000
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 016F0FC0
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 016F003D
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 016F0FA5
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 016F0011
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 016F0F80
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 016F0FD1
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 016F0022
.text C:\Windows\system32\svchost.exe[1268] WS2_32.dll!socket 75943EB8 5 Bytes JMP 01900FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 0060000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00600FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00600FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 005E0F6F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 005E00CE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 005E0F43
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 005E002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 005E0F8A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 005E0F9B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 005E0062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 005E00E9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 005E0FB6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 005E00B3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 005E0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 005E0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 005E0047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 005E0098
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 005E0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 005E0F54
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 005E007D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] msvcrt.dll!_open 75C47E48 5 Bytes JMP 005F0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 005F0F9A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] msvcrt.dll!system 75C7B177 5 Bytes JMP 005F0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 005F0FC6
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 005F0FAB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 005F0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 003C0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 003C001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 003C0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 003C0F9E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 003C0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 003C0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 003C0FB9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 003C0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1312] WS2_32.dll!socket 75943EB8 5 Bytes JMP 003F0FEF
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00350000
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00350FDE
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00350FEF
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 0023008A
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 002300C7
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 002300AC
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00230FB9
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00230F86
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00230F97
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00230054
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00230F0D
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00230025
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00230F3C
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00230FA8
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00230F61
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00230FCA
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 0023009B
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 0023006F
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00240FEF
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 0024006E
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!system 75C7B177 5 Bytes JMP 0024005D
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 00240027
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00240038
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 0024000C
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00220FE5
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00220FAF
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 00220036
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00220F94
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 00220000
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 00220F79
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 0022001B
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00220FCA
.text C:\Windows\system32\svchost.exe[1552] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 009F0000
.text C:\Windows\system32\svchost.exe[1552] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 009F0FCA
.text C:\Windows\system32\svchost.exe[1552] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 009F0FE5
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 0099009F
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 00990F39
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00990F54
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00990FCA
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00990058
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 0099003D
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00990F76
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00990F28
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00990FAF
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 009900BA
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00990011
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00990000
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 0099002C
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 0099008E
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00990FDB
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 00990F65
.text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00990073
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_open 75C47E48 5 Bytes JMP 009A0FEF
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 009A0FB2
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!system 75C7B177 5 Bytes JMP 009A0033
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 009A0022
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 009A0FCD
.text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 009A0FDE
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00930FE5
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00930F97
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 0093001E
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00930F86
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 00930FD4
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 00930F61
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 00930FA8
.text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00930FB9
.text C:\Windows\system32\svchost.exe[1552] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00980FEF
.text C:\Windows\System32\svchost.exe[1760] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 0050000A
.text C:\Windows\System32\svchost.exe[1760] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00500FEF
.text C:\Windows\System32\svchost.exe[1760] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 0050001B
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00490F5E
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 004900C4
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 004900B3
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00490FB9
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00490F83
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00490040
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 0049005B
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00490F14
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00490F9E
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00490F43
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00490FE5
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00490000
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 0049002F
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00490087
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00490FCA
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 004900A2
.text C:\Windows\System32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00490076
.text C:\Windows\System32\svchost.exe[1760] msvcrt.dll!_open 75C47E48 5 Bytes JMP 004E0000
.text C:\Windows\System32\svchost.exe[1760] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 004E0044
.text C:\Windows\System32\svchost.exe[1760] msvcrt.dll!system 75C7B177 5 Bytes JMP 004E0033
.text C:\Windows\System32\svchost.exe[1760] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 004E0FD7
.text C:\Windows\System32\svchost.exe[1760] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 004E0022
.text C:\Windows\System32\svchost.exe[1760] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 004E0011
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 001D0FE5
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 001D002F
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 001D0054
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 001D0FA8
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 001D0FD4
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 001D0065
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 001D001E
.text C:\Windows\System32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 001D0FC3
.text C:\Windows\System32\svchost.exe[1760] WS2_32.dll!socket 75943EB8 5 Bytes JMP 00480000
.text C:\Windows\System32\svchost.exe[1760] WININET.dll!InternetOpenW 76F49197 5 Bytes JMP 004F001B
.text C:\Windows\System32\svchost.exe[1760] WININET.dll!InternetOpenA 76F4F18E 5 Bytes JMP 004F000A
.text C:\Windows\System32\svchost.exe[1760] WININET.dll!InternetOpenUrlA 76F630E9 5 Bytes JMP 004F002C
.text C:\Windows\System32\svchost.exe[1760] WININET.dll!InternetOpenUrlW 76F9BF94 5 Bytes JMP 004F0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 02130000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 0213001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 02130FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 021100AC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 02110F2B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 02110F3C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 0211001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 0211007D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 02110047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 0211006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 02110F10
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 0211002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 02110F5E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 02110FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 02110000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 02110FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 02110F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 02110FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 02110F4D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 02110F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] msvcrt.dll!_open 75C47E48 5 Bytes JMP 0212000C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 02120FCD
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] msvcrt.dll!system 75C7B177 5 Bytes JMP 02120FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 02120044
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 02120FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 02120029
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 019D000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 019D003D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 019D0058
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 019D0FB6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 019D001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 019D0F9B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 019D002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 019D0FDB
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1888] WS2_32.dll!socket 75943EB8 5 Bytes JMP 02100000
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2584] USER32.dll!SetWindowLongA 75B58BA3 5 Bytes JMP 65765EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2584] USER32.dll!SetWindowLongW 75B64449 5 Bytes JMP 65765E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2584] USER32.dll!GetWindowInfo 75B64B5E 5 Bytes JMP 65554822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2584] USER32.dll!TrackPopupMenu 75B72228 5 Bytes JMP 65554DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Windows\Explorer.EXE[3564] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 01DE0FEF
.text C:\Windows\Explorer.EXE[3564] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 01DE0FD4
.text C:\Windows\Explorer.EXE[3564] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 01DE000A
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 01DC008E
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 01DC0F40
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 01DC00CB
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 01DC001B
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 01DC0058
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 01DC003D
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 01DC0F76
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 01DC00E6
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 01DC002C
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 01DC00A9
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 01DC0000
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 01DC0FE5
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 01DC0F9B
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 01DC0073
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 01DC0FCA
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 01DC00BA
.text C:\Windows\Explorer.EXE[3564] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 01DC0F65
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 01DB0000
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 01DB0FB9
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 01DB005B
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 01DB004A
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 01DB0011
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 01DB006C
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 01DB0FCA
.text C:\Windows\Explorer.EXE[3564] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 01DB0FE5
.text C:\Windows\Explorer.EXE[3564] msvcrt.dll!_open 75C47E48 5 Bytes JMP 01DD0FEF
.text C:\Windows\Explorer.EXE[3564] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 01DD005D
.text C:\Windows\Explorer.EXE[3564] msvcrt.dll!system 75C7B177 5 Bytes JMP 01DD0042
.text C:\Windows\Explorer.EXE[3564] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 01DD0FD2
.text C:\Windows\Explorer.EXE[3564] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 01DD0027
.text C:\Windows\Explorer.EXE[3564] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 01DD000C
.text C:\Windows\Explorer.EXE[3564] WININET.dll!InternetOpenW 76F49197 5 Bytes JMP 03C9000A
.text C:\Windows\Explorer.EXE[3564] WININET.dll!InternetOpenA 76F4F18E 5 Bytes JMP 03C90FEF
.text C:\Windows\Explorer.EXE[3564] WININET.dll!InternetOpenUrlA 76F630E9 5 Bytes JMP 03C90FDE
.text C:\Windows\Explorer.EXE[3564] WININET.dll!InternetOpenUrlW 76F9BF94 5 Bytes JMP 03C90025
.text C:\Windows\Explorer.EXE[3564] WS2_32.dll!socket 75943EB8 5 Bytes JMP 01E30FEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[4172] ntdll.dll!LdrLoadDll 7708223E 5 Bytes JMP 653DC930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4172] kernel32.dll!MapViewOfFile 75AB93DB 5 Bytes JMP 6560E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4172] kernel32.dll!VirtualAlloc 75ABC43A 5 Bytes JMP 6560E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4172] GDI32.dll!CreateDIBSection 76D78850 5 Bytes JMP 6560E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00040FEF
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00040FDE
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 0004000A
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00010F68
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 000100BD
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00010F1E
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 0001002C
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00010F83
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00010FAF
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00010F9E
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00010F0D
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00010FC0
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00010F43
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 0001001B
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 0001000A
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00010051
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!SetUnhandledExceptionFilter 75ABF4FB 5 Bytes JMP 63076376 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00010091
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00010FE5
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 000100A2
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00010076
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] msvcrt.dll!_open 75C47E48 5 Bytes JMP 00080FEF
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 00080042
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] msvcrt.dll!system 75C7B177 5 Bytes JMP 00080FAD
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 0008000C
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 00080027
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 00080FD2
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 00090FEF
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 00090FCA
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 00090F9E
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 00090FAF
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 0009000A
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 00090065
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 00090036
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 00090025
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] ole32.dll!OleLoadFromStream 76DC6143 4 Bytes JMP 63935530 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] WININET.dll!InternetOpenW 76F49197 5 Bytes JMP 026A000A
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] WININET.dll!InternetOpenA 76F4F18E 5 Bytes JMP 026A0FEF
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] WININET.dll!InternetOpenUrlA 76F630E9 5 Bytes JMP 026A0FCA
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] WININET.dll!InternetOpenUrlW 76F9BF94 5 Bytes JMP 026A001B
.text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[5140] WS2_32.dll!socket 75943EB8 5 Bytes JMP 02DE0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00040FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00040FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00040FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00010F79
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 000100F3
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00010F5E
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00010FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 00010087
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 0001005B
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00010076
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 0001010E
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00010025
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 000100BD
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00010FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00010000
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 0001004A
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 000100AC
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00010FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 000100D8
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00010F94
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegOpenKeyA 7581CC15 3 Bytes JMP 000D0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegOpenKeyA + 4 7581CC19 1 Byte [8A]
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegCreateKeyA 7581CD01 3 Bytes JMP 000D0FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegCreateKeyA + 4 7581CD05 1 Byte [8A]
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 000D005E
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 000D0FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 000D0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 000D006F
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 000D002F
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 000D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] msvcrt.dll!_open 75C47E48 5 Bytes JMP 000E0000
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 000E0FC1
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] msvcrt.dll!system 75C7B177 5 Bytes JMP 000E0042
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 000E0FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 000E0027
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 000E0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!CreateWindowExW 75B5EC7C 5 Bytes JMP 5D3138B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!DialogBoxParamW 75B73B9B 5 Bytes JMP 5D247F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!DialogBoxIndirectParamW 75B83B7F 5 Bytes JMP 5D44DEC8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!DialogBoxParamA 75B9CF42 3 Bytes JMP 5D44DE65 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!DialogBoxParamA + 4 75B9CF46 1 Byte [E7]
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!DialogBoxIndirectParamA 75B9D274 3 Bytes JMP 5D44DF2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!DialogBoxIndirectParamA + 4 75B9D278 1 Byte [E7]
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!MessageBoxIndirectA 75BAE869 5 Bytes JMP 5D44DDFA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!MessageBoxIndirectW 75BAE963 5 Bytes JMP 5D44DD8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!MessageBoxExA 75BAE9C9 5 Bytes JMP 5D44DD2D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] USER32.dll!MessageBoxExW 75BAE9ED 5 Bytes JMP 5D44DCCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] WININET.dll!InternetOpenW 76F49197 5 Bytes JMP 000F0011
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] WININET.dll!InternetOpenA 76F4F18E 5 Bytes JMP 000F0000
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] WININET.dll!InternetOpenUrlA 76F630E9 5 Bytes JMP 000F0FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] WININET.dll!InternetOpenUrlW 76F9BF94 5 Bytes JMP 000F002C
.text C:\Program Files\Internet Explorer\iexplore.exe[5156] ws2_32.DLL!socket 75943EB8 5 Bytes JMP 00280000
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00040000
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00040FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00040FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 000100BA
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateProcessW 75A7204D 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 00010F51
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 00010F62
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00010036
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 0001008E
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 00010062
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 00010073
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 00010101
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 00010FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 000100D5
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00010FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00010000
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00010051
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00010F91
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 0001001B
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 000100E6
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 0001009F
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegOpenKeyA 7581CC15 3 Bytes JMP 000D0000
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegOpenKeyA + 4 7581CC19 1 Byte [8A]
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegCreateKeyA 7581CD01 3 Bytes JMP 000D0FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegCreateKeyA + 4 7581CD05 1 Byte [8A]
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 000D0051
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 000D0FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 000D0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 000D0F94
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 000D0036
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 000D0025
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] msvcrt.dll!_open 75C47E48 5 Bytes JMP 000E0FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 000E0F9C
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] msvcrt.dll!system 75C7B177 5 Bytes JMP 000E0031
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 000E0FC1
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 000E0016
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 000E0FD2
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!CallNextHookEx 75B5ABE1 5 Bytes JMP 5D283CA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!UnhookWindowsHookEx 75B5ADF9 5 Bytes JMP 5D33D937 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!SetWindowsHookExW 75B5E30C 5 Bytes JMP 5D2D7DF1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!CreateWindowExW 75B5EC7C 5 Bytes JMP 5D3138B4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!DialogBoxParamW 75B73B9B 5 Bytes JMP 5D247F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!DialogBoxIndirectParamW 75B83B7F 5 Bytes JMP 5D44DEC8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!DialogBoxParamA 75B9CF42 3 Bytes JMP 5D44DE65 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!DialogBoxParamA + 4 75B9CF46 1 Byte [E7]
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!DialogBoxIndirectParamA 75B9D274 3 Bytes JMP 5D44DF2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!DialogBoxIndirectParamA + 4 75B9D278 1 Byte [E7]
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!MessageBoxIndirectA 75BAE869 5 Bytes JMP 5D44DDFA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!MessageBoxIndirectW 75BAE963 5 Bytes JMP 5D44DD8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!MessageBoxExA 75BAE9C9 5 Bytes JMP 5D44DD2D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] USER32.dll!MessageBoxExW 75BAE9ED 5 Bytes JMP 5D44DCCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ole32.dll!OleLoadFromStream 76DC6143 5 Bytes JMP 5D44E226 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ole32.dll!CoCreateInstance 76E09D0B 5 Bytes JMP 5D313442 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] WININET.dll!InternetOpenW 76F49197 5 Bytes JMP 000F0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] WININET.dll!InternetOpenA 76F4F18E 5 Bytes JMP 000F0000
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] WININET.dll!InternetOpenUrlA 76F630E9 5 Bytes JMP 000F0025
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] WININET.dll!InternetOpenUrlW 76F9BF94 5 Bytes JMP 000F0040
.text C:\Program Files\Internet Explorer\iexplore.exe[5208] ws2_32.DLL!socket 75943EB8 5 Bytes JMP 01B30000
.text C:\Windows\system32\svchost.exe[5388] ntdll.dll!NtCreateFile 770655C8 5 Bytes JMP 00040000
.text C:\Windows\system32\svchost.exe[5388] ntdll.dll!NtCreateProcess 77065698 5 Bytes JMP 00040FDB
.text C:\Windows\system32\svchost.exe[5388] ntdll.dll!NtProtectVirtualMemory 77065F18 5 Bytes JMP 00040011
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!GetStartupInfoA 75A71E10 5 Bytes JMP 00010F68
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreateProcessW 75A7204D 5 Bytes JMP 000100EC
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreateProcessA 75A72082 5 Bytes JMP 000100D1
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreateNamedPipeW 75AA2D47 5 Bytes JMP 00010FC3
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!VirtualProtect 75AB2BCD 5 Bytes JMP 0001006C
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!LoadLibraryExA 75AB4466 5 Bytes JMP 0001004A
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!LoadLibraryExW 75AB5079 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!GetProcAddress 75ABCC94 5 Bytes JMP 000100FD
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!LoadLibraryA 75ABDC65 5 Bytes JMP 0001002F
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!GetStartupInfoW 75ABE2DD 5 Bytes JMP 00010F57
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreateFileW 75ABE8A5 5 Bytes JMP 00010FDE
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreateFileA 75ABEA61 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!LoadLibraryW 75ABEF42 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreatePipe 75AD12A6 5 Bytes JMP 00010F83
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!CreateNamedPipeA 75AFDBA8 5 Bytes JMP 00010014
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!WinExec 75AFEDB2 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!WinExec 75AFEDB2 5 Bytes JMP 000100B6
.text C:\Windows\system32\svchost.exe[5388] kernel32.dll!VirtualProtectEx 75AFFD51 5 Bytes JMP 00010087
.text C:\Windows\system32\svchost.exe[5388] msvcrt.dll!_open 75C47E48 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\svchost.exe[5388] msvcrt.dll!_wsystem 75C7B057 5 Bytes JMP 000E0F9C
.text C:\Windows\system32\svchost.exe[5388] msvcrt.dll!system 75C7B177 5 Bytes JMP 000E0FAD
.text C:\Windows\system32\svchost.exe[5388] msvcrt.dll!_creat 75C7ED31 5 Bytes JMP 000E000C
.text C:\Windows\system32\svchost.exe[5388] msvcrt.dll!_wcreat 75C80396 5 Bytes JMP 000E0027
.text C:\Windows\system32\svchost.exe[5388] msvcrt.dll!_wopen 75C80578 5 Bytes JMP 000E0FDE
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyA 7581CC15 5 Bytes JMP 001F0FE5
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyA 7581CD01 5 Bytes JMP 001F001B
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyExA 75821469 5 Bytes JMP 001F0F8A
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyW 75821514 5 Bytes JMP 001F002C
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyW 75822459 5 Bytes JMP 001F0FD4
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegCreateKeyExW 758240FE 5 Bytes JMP 001F0F6F
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyExW 7582468D 5 Bytes JMP 001F0FB9
.text C:\Windows\system32\svchost.exe[5388] ADVAPI32.dll!RegOpenKeyExA 75824907 5 Bytes JMP 001F0000
.text C:\Windows\system32\svchost.exe[5388] WS2_32.dll!socket 75943EB8 3 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[5388] WS2_32.dll!socket + 4 75943EBC 1 Byte [8A]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

Device \Driver\ACPI_HAL \Device\0000006a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cceecba
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cceecba (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Users\ctsuser.CTSNJY18384\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J035KGJU\activityfeed[1] 2539 bytes
File C:\Users\ctsuser.CTSNJY18384\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\URX9OZ2M\Browser Compatability Matrix (2).xlsx 16037 bytes
File C:\Users\ctsuser.CTSNJY18384\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\URX9OZ2M\Browser Compatability Matrix.xlsx 16037 bytes
File C:\Users\ctsuser.CTSNJY18384\AppData\Roaming\Microsoft\Windows\Cookies\0QVAJOM1.txt 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  test.log   152.2KB   0 downloads

Edited by lax01, 24 April 2012 - 03:22 PM.


#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:33 PM

Posted 25 April 2012 - 01:51 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 25 April 2012 - 10:04 AM

Thank you Gringo...appreciate the help. As requested:

Security Check Log:

Results of screen317's Security Check version 0.99.32
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
McAfee VirusScan Enterprise
McAfee Agent
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Flash Player 11.2.202.233
Adobe Reader X (10.1.3)
Mozilla Firefox (Meeting..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise VsTskMgr.exe
McAfee VirusScan Enterprise mfeann.exe
McAfee VirusScan Enterprise SHSTAT.EXE
``````````End of Log````````````


DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by xxx at 8:02:06 on 2012-04-25
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3493.1887 [GMT -7:00]
.
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\CxAudMsg32.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\SAsrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\CCM\CcmExec.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~2\WebEx\WebEx\1124\atmgr.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://mail.na.mattel.com/CookieAuth.dll?GetLogon?reason=2&formdir=5&curl=Z2Fowa
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110614034914.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://vpnes.mattel.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://cognizant.webex.com/client/WBXclient-T27L10NSP25-10481/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 216.52.254.1 216.52.254.33
TCP: Interfaces\{6942CD59-420B-42F8-98AF-92E9079B8145} : DhcpNameServer = 4.2.2.2 4.2.2.3
TCP: Interfaces\{6942CD59-420B-42F8-98AF-92E9079B8145}\7445D205279667164756 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9320FF03-6500-4AD7-BA08-3A85D3AE6B18} : DhcpNameServer = 216.52.254.1 216.52.254.33
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ctsuser.ctsnjy18384\appdata\roaming\mozilla\firefox\profiles\t6d4leru.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\ctsuser.ctsnjy18384\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2011-10-13 25968]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-6-14 436728]
R0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-6-14 162928]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2012-1-13 77760]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2011-6-14 13680]
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-4-18 221784]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-4-18 78936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg32.exe [2012-1-19 190592]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-2-7 210896]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\communications utility\CamMute.exe [2011-10-13 40808]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\lenovo\communications utility\TPKNRSVC.exe [2011-10-13 59240]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-14 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-14 145936]
R2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\thinkpad\utilities\PWMEWSVC.exe [2011-10-13 148840]
R2 risdxc;risdxc;c:\windows\system32\drivers\risdxc86.sys [2011-6-14 75264]
R2 SAService;Conexant SmartAudio service;c:\windows\system32\SASrv.exe [2012-1-19 446592]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-6-13 2656280]
R3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\drivers\e1c6232.sys [2011-6-14 238760]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-11-20 270336]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-6-13 41088]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-14 171296]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwNs32.sys [2011-5-1 7513088]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-4-18 69208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2011-6-13 132096]
S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-9 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-15 45352]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-1-20 29472]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-9-27 62464]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2011-10-13 292200]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-1-20 132480]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2011-1-20 126064]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-14 58456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-14 85152]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 129976]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2011-10-13 83304]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-9-27 15872]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2011-4-9 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2011-4-9 38912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-3-9 1006624]
S3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-4-18 69208]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-4-18 94040]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-9-27 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-9-27 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-9-27 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2011-9-27 27264]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2011-9-27 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-20 1343400]
S4 enstart;enstart;c:\windows\system32\enstart.exe [2012-1-13 929792]
.
=============== Created Last 30 ================
.
2012-04-24 17:41:37 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-24 17:41:36 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-24 17:41:36 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-24 06:05:29 6273872 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-04-24 06:05:27 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{b357f1fe-9710-482c-aef3-3b5b9510d2f4}\mpengine.dll
2012-04-24 04:10:44 -------- d-----w- c:\users\ctsuser.ctsnjy18384\appdata\roaming\Malwarebytes
2012-04-24 04:10:38 -------- d-----w- c:\programdata\Malwarebytes
2012-04-24 00:08:15 611224 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-04-21 01:07:51 -------- d-sh--w- C:\$RECYCLE.BIN
2012-04-21 01:06:49 -------- d-----w- c:\users\ctsuser.ctsnjy18384\appdata\local\temp
2012-04-19 16:14:43 306688 ----a-w- c:\windows\IsUninst.exe
2012-04-19 00:59:53 33080 ----a-w- c:\windows\system32\drivers\psadd.sys
2012-04-18 17:09:08 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-04-18 17:09:07 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-04-18 17:09:03 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-04-18 17:09:02 221784 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-04-18 16:56:58 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-18 16:56:58 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-18 16:56:58 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-18 16:56:58 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-18 16:56:24 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-18 16:56:24 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-18 16:52:59 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-04-18 16:52:58 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-04-18 16:52:55 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-18 16:52:54 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-18 16:52:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-18 16:52:35 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-18 16:52:35 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-18 16:52:34 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-18 16:52:34 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-10 02:25:13 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 01:34:25 -------- d-----w- c:\users\ctsuser.ctsnjy18384\appdata\local\{7730191F-8261-11E1-826D-B8AC6F996F26}
2012-04-04 05:53:56 182160 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2012-04-17 02:51:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-28 05:38:52 981504 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 03:52:27 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 17:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 19:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
============= FINISH: 8:02:25.07 ===============

DDS Attach Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 11/21/2011 10:46:04 AM
System Uptime: 4/25/2012 7:51:54 AM (1 hours ago)
.
Motherboard: LENOVO | | 4177R3U
Processor: Intel® Core™ i5-2430M CPU @ 2.40GHz | CPU | 2401/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 269.542 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: SBRE
Device ID: ROOT\LEGACY_SBRE\0000
Manufacturer:
Name: SBRE
PNP Device ID: ROOT\LEGACY_SBRE\0000
Service: SBRE
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP25: 4/24/2012 3:02:00 PM - ComboFix created restore point
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
32 Bit HP CIO Components Installer
Adobe AIR
Adobe Community Help
Adobe Download Assistant
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
C20Planner - Vega 2.3
Centra Client
Cisco Systems VPN Client 5.0.00.0340
Cisco WebEx Meeting Center for Firefox or Chrome
Conexant 20672 SmartAudio HD
Configuration Manager Client
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Google Chrome
Integrated Camera Driver Installer Package Ver.1.1.0.1147
Integrated Camera TWAIN
Intel PROSet Wireless
Intel® Control Center
Intel® Identity Protection Technology 1.0.74.0
Intel® Management Engine Components
Intel® Network Connections Drivers
Intel® Processor Graphics
Intel® PROSet/Wireless WiFi Software
Lenovo System Interface Driver
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Communicator 2007
Microsoft Office Excel MUI (English) 2010
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office Live Meeting 2007
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Project 2007 Service Pack 3 (SP3)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio 2007 Service Pack 3 (SP3)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2010
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
RICOH_Media_Driver_v2.13.18.02
SAFE Servlet
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio Viewer 2010 (KB2597170) 32-Bit Edition
Skype™ 5.8
Spotify
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software
ThinkPad Hotkey Features Integration Setup
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage AutoLock
ThinkVantage Communications Utility
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Visio 2007 Help (KB963666)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
WebEx
Windows Driver Package - Broadcom Bluetooth (07/30/2009 6.2.0.9405)
Windows Driver Package - Broadcom Bluetooth (09/11/2009 6.2.0.9407)
Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
WinZip 14.0
.
==== Event Viewer Messages From Past Week ========
.
4/25/2012 7:52:10 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
4/23/2012 4:48:03 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Cisco EnergyWise Enabler service to connect.
4/23/2012 4:48:03 PM, Error: Service Control Manager [7000] - The Cisco EnergyWise Enabler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/23/2012 10:27:27 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {1CCB96F4-B8AD-4B43-9688-B273F58E0910} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/23/2012 10:24:55 PM, Error: Service Control Manager [7034] - The ThinkPad PM Service service terminated unexpectedly. It has done this 1 time(s).
4/20/2012 6:06:55 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
4/18/2012 12:20:35 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x00000003, 0x869a1b58, 0x8332b9e0, 0x85e71db8). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 041812-19531-01.
.
==== End Of File ===========================


No issues running any of the software.

Thank you again for the help and assistance.

#5 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 25 April 2012 - 10:15 AM

I am also now being redirected from Google Results from within Firefox 12 to a new site:

http://www.addedsuccess.com/bc_tus/innerxy.php?q=las+vegas&xy=10673

Still random and intermittent...hard to recreate.

Thanks again

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:33 PM

Posted 25 April 2012 - 12:40 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 25 April 2012 - 04:57 PM

Combofix Log:

ComboFix 12-04-25.02 - xxxx 04/25/2012 14:47:28.2.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3493.2443 [GMT -7:00]
Running from: c:\users\ctsuser.CTSNJY18384\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\ctsuser.CTSNJY18384\AppData\Roaming\Mozilla\Firefox\Profiles\t6d4leru.default\weave\toFetch
.
.
((((((((((((((((((((((((( Files Created from 2012-03-25 to 2012-04-25 )))))))))))))))))))))))))))))))
.
.
2012-04-25 21:50 . 2012-04-25 21:50 -------- d-----w- c:\users\nss_admin\AppData\Local\temp
2012-04-25 21:50 . 2012-04-25 21:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-25 21:50 . 2012-04-25 21:50 -------- d-----w- c:\users\ctsuser1\AppData\Local\temp
2012-04-25 21:50 . 2012-04-25 21:50 -------- d-----w- c:\users\ctsuser\AppData\Local\temp
2012-04-25 21:50 . 2012-04-25 21:50 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-25 21:50 . 2012-04-25 21:50 -------- d-----w- c:\users\Administrator.NSS_PC\AppData\Local\temp
2012-04-24 06:09 . 2012-03-13 04:38 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-04-24 06:05 . 2012-04-18 10:06 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B357F1FE-9710-482C-AEF3-3B5B9510D2F4}\mpengine.dll
2012-04-24 04:10 . 2012-04-24 04:10 -------- d-----w- c:\users\ctsuser.CTSNJY18384\AppData\Roaming\Malwarebytes
2012-04-24 00:08 . 2012-01-13 14:47 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-04-21 01:06 . 2012-04-25 21:52 -------- d-----w- c:\users\ctsuser.CTSNJY18384\AppData\Local\temp
2012-04-19 16:14 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2012-04-19 00:59 . 2011-12-27 01:10 33080 ----a-w- c:\windows\system32\drivers\psadd.sys
2012-04-18 17:09 . 2011-04-06 00:35 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-04-18 17:09 . 2011-04-06 00:35 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-04-18 17:09 . 2011-02-08 16:14 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-04-18 17:09 . 2011-04-06 00:35 221784 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-04-18 16:56 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-18 16:56 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-18 16:56 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-18 16:56 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-18 16:56 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-18 16:56 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-18 16:52 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-04-18 16:52 . 2012-02-03 03:54 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-04-18 16:52 . 2012-01-25 05:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-18 16:52 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-18 16:52 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-18 16:52 . 2012-02-17 05:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-18 16:52 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-18 16:52 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-18 16:52 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-10 02:25 . 2012-04-17 02:51 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 01:34 . 2012-04-10 01:34 -------- d-----w- c:\users\ctsuser.CTSNJY18384\AppData\Local\{7730191F-8261-11E1-826D-B8AC6F996F26}
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-03-27 04:01 . 2012-03-27 04:01 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-17 02:51 . 2011-06-14 08:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 17:18 . 2011-01-20 08:09 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-04-24 17:41 . 2012-04-24 06:09 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-07-15 2282792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-15 316032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-16 01:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCKRESI.EXE]
2011-04-04 22:23 281960 ----a-w- c:\program files\Lenovo\AutoLock\ALCKRESI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2009-03-14 21:12 5731152 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ForteConfig]
2010-10-26 21:39 49568 ------w- c:\program files\CONEXANT\ForteConfig\fmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-01-20 17:16 136176 ----atw- c:\users\ctsuser.CTSNJY18384\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-10-04 03:32 177432 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-10-04 03:32 142616 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSS]
2011-01-17 14:41 112152 ----a-w- c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LENOVO.TPKNRRES]
2010-12-17 02:01 41320 ----a-w- c:\program files\Lenovo\Communications Utility\TpKnrres.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 07:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-10-04 03:32 176408 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
2011-07-04 07:02 1299816 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RotateImage]
2008-10-30 19:23 31744 ----a-w- c:\program files\Integrated Camera Driver\RCIMGDIR.exe
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2011-03-04 132096]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 253088]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-15 45352]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-01-20 29472]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2011-07-04 292200]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 132480]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-11-09 126064]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-06-14 85152]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-24 129976]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2011-07-04 83304]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-10-26 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-09-28 38912]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-03-09 1006624]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [2011-02-08 69208]
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-04-06 94040]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-20 1343400]
R4 enstart;enstart;c:\windows\system32\enstart.exe [2012-01-13 929792]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2011-07-04 25968]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-06-14 162928]
S1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2012-01-13 77760]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2010-09-07 13680]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2011-04-06 221784]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-04-06 78936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg32.exe [2010-12-17 190592]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2011-02-07 210896]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-12-17 40808]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-12-17 59240]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-06-14 145936]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [2011-07-04 148840]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc86.sys [2011-03-23 75264]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [2010-11-19 446592]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-29 158856]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2010-12-21 238760]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-08-23 270336]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-05-01 7513088]
S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [2011-02-08 69208]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 02:51]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1980314247-1365648935-1728094946-1001Core.job
- c:\users\ctsuser.CTSNJY18384\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 17:16]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1980314247-1365648935-1728094946-1001UA.job
- c:\users\ctsuser.CTSNJY18384\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.na.mattel.com/CookieAuth.dll?GetLogon?reason=2&formdir=5&curl=Z2Fowa
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 4.2.2.2 4.2.2.3
FF - ProfilePath - c:\users\ctsuser.CTSNJY18384\AppData\Roaming\Mozilla\Firefox\Profiles\t6d4leru.default\
FF - prefs.js: browser.startup.homepage - google.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Ad-Aware Browsing Protection - c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1812)
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wbem\WmiApSrv.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-04-25 14:53:35 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-25 21:53
.
Pre-Run: 289,291,120,640 bytes free
Post-Run: 289,176,264,704 bytes free
.
- - End Of File - - 490C8F9C3C2AAA387A6280AB9B76310B


Results: Ran successfully, no errors. Still getting redirects on Google Search Results from Firefox 12.

Thanks again!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:33 PM

Posted 25 April 2012 - 09:39 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 25 April 2012 - 10:54 PM

Thank you Gringo! I truly understand how much of a pain in the ass this must be so I just want you to know I truly appreciate the help. Anyway, onto the log:

TDSS Log:

20:41:28.0278 0524 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
20:41:28.0792 0524 ============================================================
20:41:28.0792 0524 Current date / time: 2012/04/25 20:41:28.0792
20:41:28.0792 0524 SystemInfo:
20:41:28.0792 0524
20:41:28.0792 0524 OS Version: 6.1.7601 ServicePack: 1.0
20:41:28.0792 0524 Product type: Workstation
20:41:28.0792 0524 ComputerName: CTSNJY18384
20:41:28.0792 0524 UserName: xxx
20:41:28.0792 0524 Windows directory: C:\Windows
20:41:28.0792 0524 System windows directory: C:\Windows
20:41:28.0792 0524 Processor architecture: Intel x86
20:41:28.0792 0524 Number of processors: 4
20:41:28.0792 0524 Page size: 0x1000
20:41:28.0792 0524 Boot type: Normal boot
20:41:28.0792 0524 ============================================================
20:41:29.0136 0524 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:41:29.0136 0524 ============================================================
20:41:29.0136 0524 \Device\Harddisk0\DR0:
20:41:29.0136 0524 MBR partitions:
20:41:29.0136 0524 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x64000
20:41:29.0136 0524 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64800, BlocksNum 0x253C9800
20:41:29.0136 0524 ============================================================
20:41:29.0151 0524 C: <-> \Device\Harddisk0\DR0\Partition1
20:41:29.0151 0524 ============================================================
20:41:29.0151 0524 Initialize success
20:41:29.0151 0524 ============================================================
20:42:13.0247 5108 ============================================================
20:42:13.0247 5108 Scan started
20:42:13.0247 5108 Mode: Manual;
20:42:13.0247 5108 ============================================================
20:42:13.0590 5108 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
20:42:13.0590 5108 1394ohci - ok
20:42:13.0652 5108 5U877 (1875f492c399db858e77c1b29366d54b) C:\Windows\system32\DRIVERS\5U877.sys
20:42:13.0652 5108 5U877 - ok
20:42:13.0715 5108 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
20:42:13.0715 5108 ACPI - ok
20:42:13.0761 5108 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
20:42:13.0761 5108 AcpiPmi - ok
20:42:13.0871 5108 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
20:42:13.0871 5108 AdobeARMservice - ok
20:42:13.0995 5108 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:42:13.0995 5108 AdobeFlashPlayerUpdateSvc - ok
20:42:14.0073 5108 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\drivers\adp94xx.sys
20:42:14.0073 5108 adp94xx - ok
20:42:14.0120 5108 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\drivers\adpahci.sys
20:42:14.0120 5108 adpahci - ok
20:42:14.0151 5108 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\drivers\adpu320.sys
20:42:14.0151 5108 adpu320 - ok
20:42:14.0183 5108 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
20:42:14.0183 5108 AeLookupSvc - ok
20:42:14.0214 5108 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
20:42:14.0214 5108 AFD - ok
20:42:14.0245 5108 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
20:42:14.0245 5108 agp440 - ok
20:42:14.0276 5108 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\drivers\djsvs.sys
20:42:14.0276 5108 aic78xx - ok
20:42:14.0292 5108 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
20:42:14.0292 5108 ALG - ok
20:42:14.0323 5108 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
20:42:14.0323 5108 aliide - ok
20:42:14.0339 5108 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
20:42:14.0339 5108 amdagp - ok
20:42:14.0339 5108 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
20:42:14.0339 5108 amdide - ok
20:42:14.0385 5108 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\drivers\amdk8.sys
20:42:14.0385 5108 AmdK8 - ok
20:42:14.0385 5108 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\drivers\amdppm.sys
20:42:14.0385 5108 AmdPPM - ok
20:42:14.0417 5108 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
20:42:14.0417 5108 amdsata - ok
20:42:14.0432 5108 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\drivers\amdsbs.sys
20:42:14.0432 5108 amdsbs - ok
20:42:14.0448 5108 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
20:42:14.0448 5108 amdxata - ok
20:42:14.0463 5108 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
20:42:14.0479 5108 AppID - ok
20:42:14.0510 5108 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
20:42:14.0510 5108 AppIDSvc - ok
20:42:14.0510 5108 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
20:42:14.0510 5108 Appinfo - ok
20:42:14.0541 5108 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
20:42:14.0541 5108 AppMgmt - ok
20:42:14.0557 5108 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\drivers\arc.sys
20:42:14.0557 5108 arc - ok
20:42:14.0588 5108 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\drivers\arcsas.sys
20:42:14.0588 5108 arcsas - ok
20:42:14.0619 5108 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
20:42:14.0619 5108 AsyncMac - ok
20:42:14.0635 5108 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
20:42:14.0635 5108 atapi - ok
20:42:14.0682 5108 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
20:42:14.0682 5108 AudioEndpointBuilder - ok
20:42:14.0682 5108 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
20:42:14.0697 5108 Audiosrv - ok
20:42:14.0713 5108 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
20:42:14.0713 5108 AxInstSV - ok
20:42:14.0744 5108 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\drivers\bxvbdx.sys
20:42:14.0760 5108 b06bdrv - ok
20:42:14.0775 5108 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
20:42:14.0775 5108 b57nd60x - ok
20:42:14.0807 5108 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
20:42:14.0807 5108 BDESVC - ok
20:42:14.0838 5108 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
20:42:14.0838 5108 Beep - ok
20:42:14.0869 5108 BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
20:42:14.0885 5108 BFE - ok
20:42:14.0931 5108 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\system32\qmgr.dll
20:42:14.0931 5108 BITS - ok
20:42:14.0947 5108 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
20:42:14.0947 5108 blbdrive - ok
20:42:14.0963 5108 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
20:42:14.0963 5108 bowser - ok
20:42:14.0978 5108 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\BrFiltLo.sys
20:42:14.0978 5108 BrFiltLo - ok
20:42:14.0994 5108 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\BrFiltUp.sys
20:42:14.0994 5108 BrFiltUp - ok
20:42:15.0025 5108 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
20:42:15.0041 5108 BridgeMP - ok
20:42:15.0056 5108 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
20:42:15.0056 5108 Browser - ok
20:42:15.0103 5108 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
20:42:15.0103 5108 Brserid - ok
20:42:15.0119 5108 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
20:42:15.0119 5108 BrSerWdm - ok
20:42:15.0119 5108 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
20:42:15.0119 5108 BrUsbMdm - ok
20:42:15.0119 5108 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
20:42:15.0119 5108 BrUsbSer - ok
20:42:15.0134 5108 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
20:42:15.0134 5108 BthEnum - ok
20:42:15.0150 5108 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\drivers\bthmodem.sys
20:42:15.0150 5108 BTHMODEM - ok
20:42:15.0150 5108 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
20:42:15.0150 5108 BthPan - ok
20:42:15.0165 5108 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\Windows\System32\Drivers\BTHport.sys
20:42:15.0181 5108 BTHPORT - ok
20:42:15.0197 5108 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
20:42:15.0197 5108 bthserv - ok
20:42:15.0197 5108 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\Windows\System32\Drivers\BTHUSB.sys
20:42:15.0197 5108 BTHUSB - ok
20:42:15.0228 5108 btusbflt (dd5361cf05025bd61a5d0115ecc2566f) C:\Windows\system32\drivers\btusbflt.sys
20:42:15.0228 5108 btusbflt - ok
20:42:15.0259 5108 btwaudio (7e826be3b3558208d5c9b00034e51be5) C:\Windows\system32\drivers\btwaudio.sys
20:42:15.0259 5108 btwaudio - ok
20:42:15.0290 5108 btwavdt (af9148c3e844131ac954cb53ff43d971) C:\Windows\system32\drivers\btwavdt.sys
20:42:15.0290 5108 btwavdt - ok
20:42:15.0384 5108 btwdins (0e3ee2bc0ec56bfe869fcde3e5806684) C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
20:42:15.0399 5108 btwdins - ok
20:42:15.0415 5108 btwl2cap (aafd7cb76ba61fbb08e302da208c974a) C:\Windows\system32\DRIVERS\btwl2cap.sys
20:42:15.0415 5108 btwl2cap - ok
20:42:15.0431 5108 btwrchid (480b3d195854b2e55299cddddc50bcf9) C:\Windows\system32\drivers\btwrchid.sys
20:42:15.0431 5108 btwrchid - ok
20:42:15.0509 5108 catchme - ok
20:42:15.0587 5108 CcmExec (a454a9baa25b8c8e76735dd86bd4b017) C:\Windows\system32\CCM\CcmExec.exe
20:42:15.0602 5108 CcmExec - ok
20:42:15.0618 5108 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
20:42:15.0633 5108 cdfs - ok
20:42:15.0665 5108 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
20:42:15.0665 5108 cdrom - ok
20:42:15.0696 5108 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
20:42:15.0696 5108 CertPropSvc - ok
20:42:15.0711 5108 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\drivers\circlass.sys
20:42:15.0711 5108 circlass - ok
20:42:15.0743 5108 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
20:42:15.0743 5108 CLFS - ok
20:42:15.0789 5108 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:42:15.0789 5108 clr_optimization_v2.0.50727_32 - ok
20:42:15.0836 5108 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:42:15.0836 5108 clr_optimization_v4.0.30319_32 - ok
20:42:15.0867 5108 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
20:42:15.0867 5108 CmBatt - ok
20:42:15.0867 5108 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
20:42:15.0867 5108 cmdide - ok
20:42:15.0914 5108 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
20:42:15.0914 5108 CNG - ok
20:42:16.0008 5108 CnxtHdAudService (c8603c5c58c6a0c6fedff6dcef7e1e47) C:\Windows\system32\drivers\CHDRT32.sys
20:42:16.0023 5108 CnxtHdAudService - ok
20:42:16.0133 5108 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\drivers\compbatt.sys
20:42:16.0133 5108 Compbatt - ok
20:42:16.0164 5108 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\DRIVERS\CompositeBus.sys
20:42:16.0164 5108 CompositeBus - ok
20:42:16.0179 5108 COMSysApp - ok
20:42:16.0195 5108 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\drivers\crcdisk.sys
20:42:16.0195 5108 crcdisk - ok
20:42:16.0226 5108 CryptSvc (a585bebf7d054bd9618eda0922d5484a) C:\Windows\system32\cryptsvc.dll
20:42:16.0226 5108 CryptSvc - ok
20:42:16.0257 5108 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
20:42:16.0257 5108 CSC - ok
20:42:16.0304 5108 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
20:42:16.0304 5108 CscService - ok
20:42:16.0335 5108 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys
20:42:16.0335 5108 CVirtA - ok
20:42:16.0523 5108 CVPND (08d8fa119f2ad6ac0377fb667523482e) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
20:42:16.0538 5108 CVPND - ok
20:42:16.0647 5108 CVPNDRVA (1c2999966f0f36aa44eaecbee70cf770) C:\Windows\system32\Drivers\CVPNDRVA.sys
20:42:16.0663 5108 CVPNDRVA - ok
20:42:16.0710 5108 CxAudMsg (a4e503ce89cd1287892cb6ab58bbe75c) C:\Windows\system32\CxAudMsg32.exe
20:42:16.0710 5108 CxAudMsg - ok
20:42:16.0741 5108 dc3d (7caaf4af453ef3582fef65dd72caa0aa) C:\Windows\system32\DRIVERS\dc3d.sys
20:42:16.0757 5108 dc3d - ok
20:42:16.0803 5108 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
20:42:16.0803 5108 DcomLaunch - ok
20:42:16.0835 5108 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
20:42:16.0835 5108 defragsvc - ok
20:42:16.0866 5108 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
20:42:16.0866 5108 DfsC - ok
20:42:16.0913 5108 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
20:42:16.0913 5108 Dhcp - ok
20:42:16.0944 5108 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
20:42:16.0944 5108 discache - ok
20:42:16.0959 5108 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\drivers\disk.sys
20:42:16.0959 5108 Disk - ok
20:42:16.0991 5108 dmvsc (2a958ef85db1b61ffca65044fa4bce9e) C:\Windows\system32\drivers\dmvsc.sys
20:42:16.0991 5108 dmvsc - ok
20:42:17.0037 5108 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\Windows\system32\DRIVERS\dne2000.sys
20:42:17.0037 5108 DNE - ok
20:42:17.0084 5108 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
20:42:17.0084 5108 Dnscache - ok
20:42:17.0100 5108 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
20:42:17.0100 5108 dot3svc - ok
20:42:17.0147 5108 DozeHDD (6d279bb0de1d8e34f454e1b353f4d738) C:\Windows\system32\DRIVERS\DozeHDD.sys
20:42:17.0147 5108 DozeHDD - ok
20:42:17.0256 5108 DozeSvc (a4ecdd165b0f7ee9e44a569881f4ca6d) C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
20:42:17.0256 5108 DozeSvc - ok
20:42:17.0271 5108 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
20:42:17.0287 5108 DPS - ok
20:42:17.0318 5108 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
20:42:17.0318 5108 drmkaud - ok
20:42:17.0365 5108 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
20:42:17.0365 5108 DXGKrnl - ok
20:42:17.0427 5108 e1cexpress (890a46fb3d58667be559cee1a0252049) C:\Windows\system32\DRIVERS\e1c6232.sys
20:42:17.0427 5108 e1cexpress - ok
20:42:17.0474 5108 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
20:42:17.0474 5108 EapHost - ok
20:42:17.0630 5108 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\drivers\evbdx.sys
20:42:17.0677 5108 ebdrv - ok
20:42:17.0771 5108 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
20:42:17.0771 5108 EFS - ok
20:42:17.0833 5108 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
20:42:17.0833 5108 ehRecvr - ok
20:42:17.0849 5108 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
20:42:17.0849 5108 ehSched - ok
20:42:17.0911 5108 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\drivers\elxstor.sys
20:42:17.0927 5108 elxstor - ok
20:42:17.0989 5108 enstart (8fcd2cdbeab1c4f085fee05007deaf08) C:\Windows\system32\enstart.exe
20:42:18.0005 5108 enstart - ok
20:42:18.0020 5108 enstart_ (5a1c0cfdc7c68bf6e13e58abd60c1e98) C:\Windows\system32\enstart_.sys
20:42:18.0020 5108 enstart_ - ok
20:42:18.0051 5108 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
20:42:18.0051 5108 ErrDev - ok
20:42:18.0083 5108 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
20:42:18.0098 5108 EventSystem - ok
20:42:18.0239 5108 EvtEng (00fa69825f68032b601aa1c60e75f06a) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
20:42:18.0254 5108 EvtEng - ok
20:42:18.0317 5108 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
20:42:18.0317 5108 exfat - ok
20:42:18.0317 5108 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
20:42:18.0332 5108 fastfat - ok
20:42:18.0379 5108 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
20:42:18.0395 5108 Fax - ok
20:42:18.0395 5108 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\drivers\fdc.sys
20:42:18.0395 5108 fdc - ok
20:42:18.0410 5108 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
20:42:18.0410 5108 fdPHost - ok
20:42:18.0426 5108 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
20:42:18.0426 5108 FDResPub - ok
20:42:18.0441 5108 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
20:42:18.0441 5108 FileInfo - ok
20:42:18.0457 5108 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
20:42:18.0457 5108 Filetrace - ok
20:42:18.0457 5108 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\drivers\flpydisk.sys
20:42:18.0457 5108 flpydisk - ok
20:42:18.0519 5108 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
20:42:18.0519 5108 FltMgr - ok
20:42:18.0566 5108 FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
20:42:18.0582 5108 FontCache - ok
20:42:18.0644 5108 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
20:42:18.0644 5108 FontCache3.0.0.0 - ok
20:42:18.0660 5108 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
20:42:18.0660 5108 FsDepends - ok
20:42:18.0691 5108 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
20:42:18.0691 5108 Fs_Rec - ok
20:42:18.0722 5108 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
20:42:18.0722 5108 fvevol - ok
20:42:18.0738 5108 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\drivers\gagp30kx.sys
20:42:18.0738 5108 gagp30kx - ok
20:42:18.0785 5108 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
20:42:18.0800 5108 gpsvc - ok
20:42:18.0800 5108 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
20:42:18.0800 5108 hcw85cir - ok
20:42:18.0847 5108 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
20:42:18.0847 5108 HdAudAddService - ok
20:42:18.0878 5108 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\DRIVERS\HDAudBus.sys
20:42:18.0878 5108 HDAudBus - ok
20:42:18.0894 5108 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\drivers\HidBatt.sys
20:42:18.0894 5108 HidBatt - ok
20:42:18.0894 5108 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\drivers\hidbth.sys
20:42:18.0894 5108 HidBth - ok
20:42:18.0894 5108 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\drivers\hidir.sys
20:42:18.0909 5108 HidIr - ok
20:42:18.0909 5108 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
20:42:18.0909 5108 hidserv - ok
20:42:18.0925 5108 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
20:42:18.0925 5108 HidUsb - ok
20:42:18.0956 5108 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
20:42:18.0956 5108 hkmsvc - ok
20:42:18.0972 5108 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
20:42:18.0972 5108 HomeGroupListener - ok
20:42:19.0019 5108 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
20:42:19.0019 5108 HomeGroupProvider - ok
20:42:19.0050 5108 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
20:42:19.0050 5108 HpSAMD - ok
20:42:19.0097 5108 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
20:42:19.0097 5108 HTTP - ok
20:42:19.0112 5108 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
20:42:19.0112 5108 hwpolicy - ok
20:42:19.0159 5108 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
20:42:19.0159 5108 i8042prt - ok
20:42:19.0190 5108 iaStor (f4037a3fedb92dd97c95f320766ea5c9) C:\Windows\system32\drivers\iaStor.sys
20:42:19.0190 5108 iaStor - ok
20:42:19.0221 5108 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
20:42:19.0237 5108 iaStorV - ok
20:42:19.0237 5108 IBMPMDRV (fa3d0a6da7bb7968efe5c5bc267f0e55) C:\Windows\system32\DRIVERS\ibmpmdrv.sys
20:42:19.0237 5108 IBMPMDRV - ok
20:42:19.0268 5108 IBMPMSVC (495f184a29b80b51735bcee91d84fe8f) C:\Windows\system32\ibmpmsvc.exe
20:42:19.0268 5108 IBMPMSVC - ok
20:42:19.0377 5108 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:42:19.0377 5108 idsvc - ok
20:42:19.0861 5108 igfx (74c774c20acc424874a84a18b3d96667) C:\Windows\system32\DRIVERS\igdkmd32.sys
20:42:20.0064 5108 igfx - ok
20:42:20.0189 5108 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\drivers\iirsp.sys
20:42:20.0189 5108 iirsp - ok
20:42:20.0267 5108 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
20:42:20.0267 5108 IKEEXT - ok
20:42:20.0298 5108 Impcd (e3c36ac5ae87ec970ae8ea2a93d59ae1) C:\Windows\system32\drivers\Impcd.sys
20:42:20.0298 5108 Impcd - ok
20:42:20.0345 5108 IntcDAud (c4fa261b9b5c9822d26020949605ac43) C:\Windows\system32\DRIVERS\IntcDAud.sys
20:42:20.0345 5108 IntcDAud - ok
20:42:20.0360 5108 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
20:42:20.0360 5108 intelide - ok
20:42:20.0391 5108 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
20:42:20.0391 5108 intelppm - ok
20:42:20.0407 5108 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
20:42:20.0407 5108 IPBusEnum - ok
20:42:20.0423 5108 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:42:20.0423 5108 IpFilterDriver - ok
20:42:20.0485 5108 iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
20:42:20.0485 5108 iphlpsvc - ok
20:42:20.0516 5108 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
20:42:20.0516 5108 IPMIDRV - ok
20:42:20.0532 5108 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
20:42:20.0532 5108 IPNAT - ok
20:42:20.0547 5108 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
20:42:20.0547 5108 IRENUM - ok
20:42:20.0579 5108 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
20:42:20.0579 5108 isapnp - ok
20:42:20.0594 5108 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
20:42:20.0594 5108 iScsiPrt - ok
20:42:20.0703 5108 jhi_service (6faf199fdffdd2376973143c3e012765) C:\Program Files\Intel\Services\IPT\jhi_service.exe
20:42:20.0703 5108 jhi_service - ok
20:42:20.0735 5108 JMCR (4029a265bcd23e0fd7da45e423f80dd1) C:\Windows\system32\DRIVERS\jmcr.sys
20:42:20.0735 5108 JMCR - ok
20:42:20.0766 5108 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
20:42:20.0766 5108 kbdclass - ok
20:42:20.0781 5108 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
20:42:20.0781 5108 kbdhid - ok
20:42:20.0828 5108 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
20:42:20.0828 5108 KeyIso - ok
20:42:20.0844 5108 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
20:42:20.0844 5108 KSecDD - ok
20:42:20.0859 5108 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
20:42:20.0859 5108 KSecPkg - ok
20:42:20.0891 5108 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
20:42:20.0906 5108 KtmRm - ok
20:42:20.0937 5108 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
20:42:20.0937 5108 LanmanServer - ok
20:42:20.0969 5108 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
20:42:20.0969 5108 LanmanWorkstation - ok
20:42:21.0047 5108 LENOVO.CAMMUTE (930bc7b758b9ba5aec2f5f6f5be60fff) C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
20:42:21.0047 5108 LENOVO.CAMMUTE - ok
20:42:21.0078 5108 lenovo.smi (9aac267a225f3caebb9e633f7eb16e4b) C:\Windows\system32\DRIVERS\smiif32.sys
20:42:21.0078 5108 lenovo.smi - ok
20:42:21.0078 5108 LENOVO.TPKNRSVC (5da0fa155f8e8f18556c677451953d9d) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
20:42:21.0078 5108 LENOVO.TPKNRSVC - ok
20:42:21.0109 5108 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
20:42:21.0125 5108 lltdio - ok
20:42:21.0156 5108 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
20:42:21.0156 5108 lltdsvc - ok
20:42:21.0171 5108 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
20:42:21.0171 5108 lmhosts - ok
20:42:21.0234 5108 LMS (97f9eaac985a663394cd8f54dcd3e73a) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
20:42:21.0249 5108 LMS - ok
20:42:21.0265 5108 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\drivers\lsi_fc.sys
20:42:21.0265 5108 LSI_FC - ok
20:42:21.0281 5108 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\drivers\lsi_sas.sys
20:42:21.0281 5108 LSI_SAS - ok
20:42:21.0296 5108 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\drivers\lsi_sas2.sys
20:42:21.0296 5108 LSI_SAS2 - ok
20:42:21.0327 5108 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\drivers\lsi_scsi.sys
20:42:21.0327 5108 LSI_SCSI - ok
20:42:21.0327 5108 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
20:42:21.0343 5108 luafv - ok
20:42:21.0390 5108 McAfeeFramework (062d80f13d762f7bc2f38430d60f5048) C:\Program Files\McAfee\Common Framework\FrameworkService.exe
20:42:21.0390 5108 McAfeeFramework - ok
20:42:21.0452 5108 McShield (50182e471b44c7a0f63b46e2def08b0f) C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
20:42:21.0452 5108 McShield - ok
20:42:21.0499 5108 McTaskManager (b15bb3aef59158b4e1dda5328c842713) C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
20:42:21.0499 5108 McTaskManager - ok
20:42:21.0530 5108 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
20:42:21.0530 5108 Mcx2Svc - ok
20:42:21.0577 5108 MDM (7cf1b716372b89568ae4c0fe769f5869) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
20:42:21.0577 5108 MDM - ok
20:42:21.0608 5108 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\drivers\megasas.sys
20:42:21.0608 5108 megasas - ok
20:42:21.0639 5108 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\drivers\MegaSR.sys
20:42:21.0639 5108 MegaSR - ok
20:42:21.0671 5108 MEI (d86ac00883b9c98b570e7643aaf8e554) C:\Windows\system32\DRIVERS\HECI.sys
20:42:21.0671 5108 MEI - ok
20:42:21.0702 5108 mfeapfk (c0d975d64c1af8057f2d75b1297a6979) C:\Windows\system32\drivers\mfeapfk.sys
20:42:21.0717 5108 mfeapfk - ok
20:42:21.0749 5108 mfeavfk (c169326049a8a03d5f905b34f5a65f8c) C:\Windows\system32\drivers\mfeavfk.sys
20:42:21.0749 5108 mfeavfk - ok
20:42:21.0764 5108 mfeavfk01 - ok
20:42:21.0780 5108 mfebopk (50b0253b2484a306a20d8695c5ae5858) C:\Windows\system32\drivers\mfebopk.sys
20:42:21.0780 5108 mfebopk - ok
20:42:21.0827 5108 mfehidk (188b40866db2ab8ef262febc65291687) C:\Windows\system32\drivers\mfehidk.sys
20:42:21.0827 5108 mfehidk - ok
20:42:21.0858 5108 mferkdet (c1b30af2e18e69bf8ceb39b33f32d3c1) C:\Windows\system32\drivers\mferkdet.sys
20:42:21.0858 5108 mferkdet - ok
20:42:21.0873 5108 mfevtp (49c8e20d178be981ff28523a942a570f) C:\Windows\system32\mfevtps.exe
20:42:21.0889 5108 mfevtp - ok
20:42:21.0920 5108 mfewfpk (451b49f0e10d6058ced5b56852d82c8b) C:\Windows\system32\drivers\mfewfpk.sys
20:42:21.0920 5108 mfewfpk - ok
20:42:22.0014 5108 Microsoft SharePoint Workspace Audit Service - ok
20:42:22.0045 5108 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
20:42:22.0045 5108 MMCSS - ok
20:42:22.0061 5108 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
20:42:22.0061 5108 Modem - ok
20:42:22.0092 5108 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
20:42:22.0092 5108 monitor - ok
20:42:22.0139 5108 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
20:42:22.0139 5108 mouclass - ok
20:42:22.0139 5108 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
20:42:22.0154 5108 mouhid - ok
20:42:22.0170 5108 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
20:42:22.0170 5108 mountmgr - ok
20:42:22.0232 5108 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
20:42:22.0232 5108 MozillaMaintenance - ok
20:42:22.0248 5108 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
20:42:22.0248 5108 mpio - ok
20:42:22.0263 5108 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
20:42:22.0263 5108 mpsdrv - ok
20:42:22.0310 5108 MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
20:42:22.0326 5108 MpsSvc - ok
20:42:22.0341 5108 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
20:42:22.0341 5108 MRxDAV - ok
20:42:22.0373 5108 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
20:42:22.0373 5108 mrxsmb - ok
20:42:22.0404 5108 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:42:22.0404 5108 mrxsmb10 - ok
20:42:22.0419 5108 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:42:22.0419 5108 mrxsmb20 - ok
20:42:22.0435 5108 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
20:42:22.0435 5108 msahci - ok
20:42:22.0466 5108 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
20:42:22.0466 5108 msdsm - ok
20:42:22.0513 5108 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
20:42:22.0513 5108 MSDTC - ok
20:42:22.0544 5108 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
20:42:22.0544 5108 Msfs - ok
20:42:22.0560 5108 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
20:42:22.0560 5108 mshidkmdf - ok
20:42:22.0575 5108 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
20:42:22.0575 5108 msisadrv - ok
20:42:22.0622 5108 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
20:42:22.0622 5108 MSiSCSI - ok
20:42:22.0622 5108 msiserver - ok
20:42:22.0653 5108 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
20:42:22.0653 5108 MSKSSRV - ok
20:42:22.0685 5108 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
20:42:22.0685 5108 MSPCLOCK - ok
20:42:22.0685 5108 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
20:42:22.0700 5108 MSPQM - ok
20:42:22.0716 5108 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
20:42:22.0716 5108 MsRPC - ok
20:42:22.0731 5108 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
20:42:22.0731 5108 mssmbios - ok
20:42:22.0747 5108 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
20:42:22.0747 5108 MSTEE - ok
20:42:22.0747 5108 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\drivers\MTConfig.sys
20:42:22.0747 5108 MTConfig - ok
20:42:22.0763 5108 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
20:42:22.0763 5108 Mup - ok
20:42:22.0794 5108 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
20:42:22.0794 5108 napagent - ok
20:42:22.0841 5108 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
20:42:22.0841 5108 NativeWifiP - ok
20:42:22.0872 5108 NDIS (3723262737d90f58059ceda7373b0387) C:\Windows\system32\drivers\ndis.sys
20:42:22.0887 5108 NDIS - ok
20:42:22.0919 5108 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
20:42:22.0919 5108 NdisCap - ok
20:42:22.0934 5108 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
20:42:22.0934 5108 NdisTapi - ok
20:42:22.0950 5108 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
20:42:22.0950 5108 Ndisuio - ok
20:42:22.0965 5108 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
20:42:22.0965 5108 NdisWan - ok
20:42:22.0981 5108 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
20:42:22.0981 5108 NDProxy - ok
20:42:23.0028 5108 Net Driver HPZ12 (f7c14f5077bf2bc476c348b88a7f74e2) C:\Windows\system32\HPZinw12.dll
20:42:23.0028 5108 Net Driver HPZ12 - ok
20:42:23.0043 5108 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
20:42:23.0043 5108 NetBIOS - ok
20:42:23.0059 5108 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
20:42:23.0059 5108 NetBT - ok
20:42:23.0090 5108 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
20:42:23.0090 5108 Netlogon - ok
20:42:23.0137 5108 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
20:42:23.0137 5108 Netman - ok
20:42:23.0168 5108 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
20:42:23.0168 5108 netprofm - ok
20:42:23.0246 5108 NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
20:42:23.0246 5108 NetTcpPortSharing - ok
20:42:23.0574 5108 NETwNs32 (9c23121705590d54db8a8c6033c782d9) C:\Windows\system32\DRIVERS\NETwNs32.sys
20:42:23.0667 5108 NETwNs32 - ok
20:42:23.0808 5108 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\drivers\nfrd960.sys
20:42:23.0808 5108 nfrd960 - ok
20:42:23.0855 5108 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
20:42:23.0855 5108 NlaSvc - ok
20:42:23.0870 5108 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
20:42:23.0870 5108 Npfs - ok
20:42:23.0886 5108 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
20:42:23.0886 5108 nsi - ok
20:42:23.0901 5108 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
20:42:23.0901 5108 nsiproxy - ok
20:42:23.0964 5108 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
20:42:23.0979 5108 Ntfs - ok
20:42:24.0104 5108 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
20:42:24.0104 5108 Null - ok
20:42:24.0120 5108 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
20:42:24.0120 5108 nvraid - ok
20:42:24.0135 5108 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
20:42:24.0151 5108 nvstor - ok
20:42:24.0167 5108 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
20:42:24.0167 5108 nv_agp - ok
20:42:24.0260 5108 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
20:42:24.0276 5108 odserv - ok
20:42:24.0291 5108 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
20:42:24.0291 5108 ohci1394 - ok
20:42:24.0323 5108 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:42:24.0338 5108 ose - ok
20:42:24.0588 5108 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
20:42:24.0635 5108 osppsvc - ok
20:42:24.0744 5108 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
20:42:24.0744 5108 p2pimsvc - ok
20:42:24.0791 5108 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
20:42:24.0791 5108 p2psvc - ok
20:42:24.0853 5108 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\drivers\parport.sys
20:42:24.0853 5108 Parport - ok
20:42:24.0869 5108 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
20:42:24.0869 5108 partmgr - ok
20:42:24.0869 5108 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\drivers\parvdm.sys
20:42:24.0869 5108 Parvdm - ok
20:42:24.0900 5108 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
20:42:24.0900 5108 PcaSvc - ok
20:42:24.0931 5108 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
20:42:24.0931 5108 pci - ok
20:42:24.0947 5108 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
20:42:24.0947 5108 pciide - ok
20:42:24.0962 5108 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\drivers\pcmcia.sys
20:42:24.0962 5108 pcmcia - ok
20:42:24.0978 5108 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
20:42:24.0978 5108 pcw - ok
20:42:25.0009 5108 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
20:42:25.0025 5108 PEAUTH - ok
20:42:25.0087 5108 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
20:42:25.0087 5108 PeerDistSvc - ok
20:42:25.0165 5108 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
20:42:25.0196 5108 pla - ok
20:42:25.0305 5108 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
20:42:25.0305 5108 PlugPlay - ok
20:42:25.0352 5108 Pml Driver HPZ12 (e638656001c52a1faa34f92e6d3a086b) C:\Windows\system32\HPZipm12.dll
20:42:25.0352 5108 Pml Driver HPZ12 - ok
20:42:25.0383 5108 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
20:42:25.0383 5108 PNRPAutoReg - ok
20:42:25.0415 5108 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
20:42:25.0415 5108 PNRPsvc - ok
20:42:25.0446 5108 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
20:42:25.0446 5108 PolicyAgent - ok
20:42:25.0477 5108 Power (ac42f771cc29727bd1663f211e9ac507) C:\Windows\system32\umpo.dll
20:42:25.0493 5108 Power - ok
20:42:25.0571 5108 Power Manager DBC Service (7a1e6cf32edff1f13186997fca086fc7) C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
20:42:25.0586 5108 Power Manager DBC Service - ok
20:42:25.0633 5108 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
20:42:25.0633 5108 PptpMiniport - ok
20:42:25.0680 5108 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\Windows\system32\CCM\prepdrv.sys
20:42:25.0680 5108 prepdrvr - ok
20:42:25.0711 5108 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\drivers\processr.sys
20:42:25.0711 5108 Processor - ok
20:42:25.0727 5108 ProfSvc (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
20:42:25.0727 5108 ProfSvc - ok
20:42:25.0758 5108 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
20:42:25.0758 5108 ProtectedStorage - ok
20:42:25.0805 5108 psadd (80ddc44934305224aebfc37a264803c2) C:\Windows\system32\DRIVERS\psadd.sys
20:42:25.0805 5108 psadd - ok
20:42:25.0851 5108 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
20:42:25.0851 5108 Psched - ok
20:42:25.0883 5108 PwmEWSvc (20eff1ca8922f6a834261b985550a51d) C:\Program Files\ThinkPad\Utilities\PWMEWSVC.EXE
20:42:25.0883 5108 PwmEWSvc - ok
20:42:25.0945 5108 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\drivers\ql2300.sys
20:42:25.0961 5108 ql2300 - ok
20:42:26.0070 5108 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\drivers\ql40xx.sys
20:42:26.0070 5108 ql40xx - ok
20:42:26.0101 5108 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
20:42:26.0101 5108 QWAVE - ok
20:42:26.0132 5108 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
20:42:26.0132 5108 QWAVEdrv - ok
20:42:26.0132 5108 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
20:42:26.0132 5108 RasAcd - ok
20:42:26.0163 5108 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
20:42:26.0163 5108 RasAgileVpn - ok
20:42:26.0179 5108 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
20:42:26.0179 5108 RasAuto - ok
20:42:26.0195 5108 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
20:42:26.0195 5108 Rasl2tp - ok
20:42:26.0226 5108 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
20:42:26.0226 5108 RasMan - ok
20:42:26.0241 5108 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
20:42:26.0241 5108 RasPppoe - ok
20:42:26.0257 5108 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
20:42:26.0257 5108 RasSstp - ok
20:42:26.0273 5108 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
20:42:26.0288 5108 rdbss - ok
20:42:26.0288 5108 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
20:42:26.0288 5108 rdpbus - ok
20:42:26.0304 5108 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
20:42:26.0304 5108 RDPCDD - ok
20:42:26.0319 5108 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
20:42:26.0335 5108 RDPDR - ok
20:42:26.0351 5108 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
20:42:26.0351 5108 RDPENCDD - ok
20:42:26.0366 5108 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
20:42:26.0366 5108 RDPREFMP - ok
20:42:26.0382 5108 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
20:42:26.0382 5108 RdpVideoMiniport - ok
20:42:26.0429 5108 RDPWD (244c83332f44589ae98fc347f11b2693) C:\Windows\system32\drivers\RDPWD.sys
20:42:26.0429 5108 RDPWD - ok
20:42:26.0460 5108 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
20:42:26.0475 5108 rdyboost - ok
20:42:26.0569 5108 RegSrvc (7031a7d5c3b773bfa14ea5956a18942a) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
20:42:26.0585 5108 RegSrvc - ok
20:42:26.0616 5108 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
20:42:26.0616 5108 RemoteAccess - ok
20:42:26.0647 5108 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
20:42:26.0647 5108 RemoteRegistry - ok
20:42:26.0694 5108 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
20:42:26.0694 5108 RFCOMM - ok
20:42:26.0694 5108 rimspci (e891f07815af88075705ef6a248711f6) C:\Windows\system32\drivers\rimspe86.sys
20:42:26.0694 5108 rimspci - ok
20:42:26.0741 5108 risdxc (9ebc0f4b55ec20e91fe40ac83825836c) C:\Windows\system32\DRIVERS\risdxc86.sys
20:42:26.0741 5108 risdxc - ok
20:42:26.0741 5108 rixdpcie (6a60626412129c713cc30c81870a8095) C:\Windows\system32\drivers\rixdpe86.sys
20:42:26.0741 5108 rixdpcie - ok
20:42:26.0756 5108 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
20:42:26.0756 5108 RpcEptMapper - ok
20:42:26.0787 5108 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
20:42:26.0787 5108 RpcLocator - ok
20:42:26.0803 5108 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
20:42:26.0819 5108 RpcSs - ok
20:42:26.0834 5108 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
20:42:26.0834 5108 rspndr - ok
20:42:26.0881 5108 RTL8167 (d5ede44ca85899e0478208c8413c1c31) C:\Windows\system32\DRIVERS\Rt86win7.sys
20:42:26.0881 5108 RTL8167 - ok
20:42:26.0943 5108 rtl8192se (8e2cb65b05b102f2adeebe4c76bf11b6) C:\Windows\system32\DRIVERS\rtl8192se.sys
20:42:26.0959 5108 rtl8192se - ok
20:42:26.0975 5108 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
20:42:26.0975 5108 s3cap - ok
20:42:27.0006 5108 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
20:42:27.0006 5108 SamSs - ok
20:42:27.0053 5108 SAService (1e5d06f915260e9270287a1839a98671) C:\Windows\system32\SAsrv.exe
20:42:27.0053 5108 SAService - ok
20:42:27.0115 5108 SbFw (9c9bcc79aef0aa97f16766c498002d36) C:\Windows\system32\drivers\SbFw.sys
20:42:27.0115 5108 SbFw - ok
20:42:27.0146 5108 SBFWIMCL (f27b38d70b7621378161d6f48be04d2c) C:\Windows\system32\DRIVERS\sbfwim.sys
20:42:27.0146 5108 SBFWIMCL - ok
20:42:27.0162 5108 SBFWIMCLMP (f27b38d70b7621378161d6f48be04d2c) C:\Windows\system32\DRIVERS\SBFWIM.sys
20:42:27.0162 5108 SBFWIMCLMP - ok
20:42:27.0177 5108 sbhips (53e5e7dc26bb920b97f258bbd52abfdc) C:\Windows\system32\drivers\sbhips.sys
20:42:27.0177 5108 sbhips - ok
20:42:27.0209 5108 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
20:42:27.0224 5108 sbp2port - ok
20:42:27.0224 5108 SBRE - ok
20:42:27.0240 5108 SbTis (6468e2973e04525decc105947ddd0d34) C:\Windows\system32\drivers\sbtis.sys
20:42:27.0240 5108 SbTis - ok
20:42:27.0271 5108 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
20:42:27.0287 5108 SCardSvr - ok
20:42:27.0287 5108 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
20:42:27.0287 5108 scfilter - ok
20:42:27.0333 5108 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
20:42:27.0349 5108 Schedule - ok
20:42:27.0365 5108 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
20:42:27.0365 5108 SCPolicySvc - ok
20:42:27.0411 5108 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
20:42:27.0411 5108 sdbus - ok
20:42:27.0427 5108 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
20:42:27.0427 5108 SDRSVC - ok
20:42:27.0443 5108 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
20:42:27.0443 5108 secdrv - ok
20:42:27.0474 5108 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
20:42:27.0474 5108 seclogon - ok
20:42:27.0489 5108 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
20:42:27.0489 5108 SENS - ok
20:42:27.0505 5108 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
20:42:27.0505 5108 SensrSvc - ok
20:42:27.0536 5108 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\drivers\serenum.sys
20:42:27.0536 5108 Serenum - ok
20:42:27.0552 5108 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\drivers\serial.sys
20:42:27.0552 5108 Serial - ok
20:42:27.0583 5108 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\drivers\sermouse.sys
20:42:27.0583 5108 sermouse - ok
20:42:27.0599 5108 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
20:42:27.0614 5108 SessionEnv - ok
20:42:27.0614 5108 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
20:42:27.0614 5108 sffdisk - ok
20:42:27.0614 5108 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
20:42:27.0614 5108 sffp_mmc - ok
20:42:27.0614 5108 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
20:42:27.0630 5108 sffp_sd - ok
20:42:27.0630 5108 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\drivers\sfloppy.sys
20:42:27.0630 5108 sfloppy - ok
20:42:27.0677 5108 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
20:42:27.0677 5108 SharedAccess - ok
20:42:27.0723 5108 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
20:42:27.0723 5108 ShellHWDetection - ok
20:42:27.0739 5108 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
20:42:27.0739 5108 sisagp - ok
20:42:27.0755 5108 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\drivers\SiSRaid2.sys
20:42:27.0755 5108 SiSRaid2 - ok
20:42:27.0770 5108 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\drivers\sisraid4.sys
20:42:27.0786 5108 SiSRaid4 - ok
20:42:27.0879 5108 SkypeUpdate (8c5477eb1c03ca76cd8eb66a610a9e90) C:\Program Files\Skype\Updater\Updater.exe
20:42:27.0879 5108 SkypeUpdate - ok
20:42:27.0895 5108 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
20:42:27.0895 5108 Smb - ok
20:42:27.0926 5108 smstsmgr - ok
20:42:27.0973 5108 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
20:42:27.0973 5108 SNMPTRAP - ok
20:42:27.0989 5108 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
20:42:27.0989 5108 spldr - ok
20:42:28.0020 5108 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
20:42:28.0020 5108 Spooler - ok
20:42:28.0176 5108 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
20:42:28.0207 5108 sppsvc - ok
20:42:28.0301 5108 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
20:42:28.0301 5108 sppuinotify - ok
20:42:28.0363 5108 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
20:42:28.0363 5108 srv - ok
20:42:28.0379 5108 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
20:42:28.0379 5108 srv2 - ok
20:42:28.0410 5108 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
20:42:28.0410 5108 srvnet - ok
20:42:28.0441 5108 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
20:42:28.0441 5108 SSDPSRV - ok
20:42:28.0457 5108 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
20:42:28.0472 5108 SstpSvc - ok
20:42:28.0472 5108 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\drivers\stexstor.sys
20:42:28.0488 5108 stexstor - ok
20:42:28.0503 5108 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
20:42:28.0519 5108 StiSvc - ok
20:42:28.0535 5108 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
20:42:28.0535 5108 storflt - ok
20:42:28.0550 5108 StorSvc (0bf669f0a910beda4a32258d363af2a5) C:\Windows\system32\storsvc.dll
20:42:28.0550 5108 StorSvc - ok
20:42:28.0566 5108 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
20:42:28.0566 5108 storvsc - ok
20:42:28.0644 5108 SUService (6b99af4ba580491196a273ce7c6ee628) C:\Program Files\Lenovo\System Update\SUService.exe
20:42:28.0644 5108 SUService - ok
20:42:28.0675 5108 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
20:42:28.0675 5108 swenum - ok
20:42:28.0722 5108 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
20:42:28.0722 5108 swprv - ok
20:42:28.0737 5108 Synth3dVsc (f2ad8960812fd111e20e84659ef19d43) C:\Windows\system32\drivers\Synth3dVsc.sys
20:42:28.0737 5108 Synth3dVsc - ok
20:42:28.0815 5108 SynTP (7e194e86bf306e07470a0ac56b41de83) C:\Windows\system32\DRIVERS\SynTP.sys
20:42:28.0831 5108 SynTP - ok
20:42:28.0956 5108 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
20:42:28.0956 5108 SysMain - ok
20:42:29.0003 5108 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
20:42:29.0003 5108 TabletInputService - ok
20:42:29.0018 5108 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
20:42:29.0018 5108 TapiSrv - ok
20:42:29.0049 5108 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
20:42:29.0049 5108 TBS - ok
20:42:29.0143 5108 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
20:42:29.0159 5108 Tcpip - ok
20:42:29.0283 5108 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
20:42:29.0299 5108 TCPIP6 - ok
20:42:29.0377 5108 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
20:42:29.0377 5108 tcpipreg - ok
20:42:29.0393 5108 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
20:42:29.0393 5108 TDPIPE - ok
20:42:29.0424 5108 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
20:42:29.0424 5108 TDTCP - ok
20:42:29.0439 5108 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
20:42:29.0439 5108 tdx - ok
20:42:29.0455 5108 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\DRIVERS\termdd.sys
20:42:29.0455 5108 TermDD - ok
20:42:29.0486 5108 terminpt (052306fd76793d5d5ab5d9891fd1adbb) C:\Windows\system32\drivers\terminpt.sys
20:42:29.0486 5108 terminpt - ok
20:42:29.0517 5108 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
20:42:29.0517 5108 TermService - ok
20:42:29.0549 5108 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
20:42:29.0549 5108 Themes - ok
20:42:29.0580 5108 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
20:42:29.0580 5108 THREADORDER - ok
20:42:29.0595 5108 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\Windows\system32\drivers\tpm.sys
20:42:29.0595 5108 TPM - ok
20:42:29.0642 5108 TPPWRIF (c16ec6a5390904d3971179553852025b) C:\Windows\system32\drivers\Tppwr32v.sys
20:42:29.0642 5108 TPPWRIF - ok
20:42:29.0658 5108 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
20:42:29.0658 5108 TrkWks - ok
20:42:29.0720 5108 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
20:42:29.0720 5108 TrustedInstaller - ok
20:42:29.0736 5108 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
20:42:29.0736 5108 tssecsrv - ok
20:42:29.0767 5108 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
20:42:29.0767 5108 TsUsbFlt - ok
20:42:29.0783 5108 TsUsbGD (01246f0baad7b68ec0f472aa41e33282) C:\Windows\system32\drivers\TsUsbGD.sys
20:42:29.0783 5108 TsUsbGD - ok
20:42:29.0798 5108 tsusbhub (045acb987c650d8186c6b4a692223860) C:\Windows\system32\drivers\tsusbhub.sys
20:42:29.0798 5108 tsusbhub - ok
20:42:29.0829 5108 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
20:42:29.0829 5108 tunnel - ok
20:42:29.0829 5108 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\drivers\uagp35.sys
20:42:29.0829 5108 uagp35 - ok
20:42:29.0845 5108 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
20:42:29.0845 5108 udfs - ok
20:42:29.0876 5108 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
20:42:29.0876 5108 UI0Detect - ok
20:42:29.0892 5108 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
20:42:29.0907 5108 uliagpkx - ok
20:42:29.0923 5108 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
20:42:29.0923 5108 umbus - ok
20:42:29.0923 5108 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\drivers\umpass.sys
20:42:29.0923 5108 UmPass - ok
20:42:29.0939 5108 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
20:42:29.0939 5108 UmRdpService - ok
20:42:30.0126 5108 UNS (a69cd6bdb82872999d2e46f9324ada83) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
20:42:30.0157 5108 UNS - ok
20:42:30.0266 5108 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
20:42:30.0266 5108 upnphost - ok
20:42:30.0329 5108 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys
20:42:30.0329 5108 usbaudio - ok
20:42:30.0344 5108 usbccgp (4663ad7f61519e88687393bfcb154e4c) C:\Windows\system32\DRIVERS\usbccgp.sys
20:42:30.0344 5108 usbccgp - ok
20:42:30.0375 5108 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
20:42:30.0375 5108 usbcir - ok
20:42:30.0391 5108 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
20:42:30.0391 5108 usbehci - ok
20:42:30.0422 5108 usbhub (57ca3e7c775c22c62927a41838e10938) C:\Windows\system32\DRIVERS\usbhub.sys
20:42:30.0422 5108 usbhub - ok
20:42:30.0438 5108 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
20:42:30.0438 5108 usbohci - ok
20:42:30.0438 5108 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\drivers\usbprint.sys
20:42:30.0438 5108 usbprint - ok
20:42:30.0453 5108 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:42:30.0453 5108 USBSTOR - ok
20:42:30.0453 5108 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
20:42:30.0453 5108 usbuhci - ok
20:42:30.0516 5108 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\system32\Drivers\usbvideo.sys
20:42:30.0516 5108 usbvideo - ok
20:42:30.0547 5108 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
20:42:30.0547 5108 UxSms - ok
20:42:30.0578 5108 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
20:42:30.0578 5108 VaultSvc - ok
20:42:30.0594 5108 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
20:42:30.0594 5108 vdrvroot - ok
20:42:30.0625 5108 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
20:42:30.0625 5108 vds - ok
20:42:30.0656 5108 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
20:42:30.0656 5108 vga - ok
20:42:30.0687 5108 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
20:42:30.0687 5108 VgaSave - ok
20:42:30.0687 5108 VGPU - ok
20:42:30.0703 5108 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
20:42:30.0703 5108 vhdmp - ok
20:42:30.0719 5108 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
20:42:30.0719 5108 viaagp - ok
20:42:30.0734 5108 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\drivers\viac7.sys
20:42:30.0734 5108 ViaC7 - ok
20:42:30.0734 5108 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
20:42:30.0734 5108 viaide - ok
20:42:30.0765 5108 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
20:42:30.0765 5108 vmbus - ok
20:42:30.0765 5108 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
20:42:30.0765 5108 VMBusHID - ok
20:42:30.0781 5108 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
20:42:30.0781 5108 volmgr - ok
20:42:30.0812 5108 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
20:42:30.0812 5108 volmgrx - ok
20:42:30.0828 5108 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
20:42:30.0828 5108 volsnap - ok
20:42:30.0875 5108 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\drivers\vsmraid.sys
20:42:30.0875 5108 vsmraid - ok
20:42:30.0937 5108 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
20:42:30.0953 5108 VSS - ok
20:42:30.0968 5108 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
20:42:30.0968 5108 vwifibus - ok
20:42:30.0999 5108 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
20:42:30.0999 5108 vwififlt - ok
20:42:31.0046 5108 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
20:42:31.0046 5108 W32Time - ok
20:42:31.0062 5108 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\drivers\wacompen.sys
20:42:31.0062 5108 WacomPen - ok
20:42:31.0077 5108 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
20:42:31.0077 5108 WANARP - ok
20:42:31.0077 5108 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
20:42:31.0077 5108 Wanarpv6 - ok
20:42:31.0171 5108 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
20:42:31.0187 5108 WatAdminSvc - ok
20:42:31.0311 5108 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
20:42:31.0327 5108 wbengine - ok
20:42:31.0358 5108 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
20:42:31.0358 5108 WbioSrvc - ok
20:42:31.0374 5108 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
20:42:31.0389 5108 wcncsvc - ok
20:42:31.0405 5108 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
20:42:31.0405 5108 WcsPlugInService - ok
20:42:31.0452 5108 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\drivers\wd.sys
20:42:31.0452 5108 Wd - ok
20:42:31.0483 5108 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
20:42:31.0483 5108 Wdf01000 - ok
20:42:31.0514 5108 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
20:42:31.0514 5108 WdiServiceHost - ok
20:42:31.0514 5108 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
20:42:31.0514 5108 WdiSystemHost - ok
20:42:31.0561 5108 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
20:42:31.0561 5108 WebClient - ok
20:42:31.0577 5108 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
20:42:31.0577 5108 Wecsvc - ok
20:42:31.0592 5108 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
20:42:31.0592 5108 wercplsupport - ok
20:42:31.0623 5108 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
20:42:31.0623 5108 WerSvc - ok
20:42:31.0623 5108 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
20:42:31.0623 5108 WfpLwf - ok
20:42:31.0639 5108 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
20:42:31.0655 5108 WIMMount - ok
20:42:31.0764 5108 WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
20:42:31.0764 5108 WinDefend - ok
20:42:31.0779 5108 WinHttpAutoProxySvc - ok
20:42:31.0826 5108 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
20:42:31.0826 5108 Winmgmt - ok
20:42:31.0904 5108 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
20:42:31.0920 5108 WinRM - ok
20:42:31.0998 5108 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
20:42:31.0998 5108 WinUsb - ok
20:42:32.0060 5108 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
20:42:32.0060 5108 Wlansvc - ok
20:42:32.0091 5108 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
20:42:32.0091 5108 WmiAcpi - ok
20:42:32.0154 5108 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
20:42:32.0154 5108 wmiApSrv - ok
20:42:32.0279 5108 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
20:42:32.0294 5108 WMPNetworkSvc - ok
20:42:32.0388 5108 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
20:42:32.0388 5108 WPCSvc - ok
20:42:32.0403 5108 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
20:42:32.0403 5108 WPDBusEnum - ok
20:42:32.0450 5108 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
20:42:32.0466 5108 ws2ifsl - ok
20:42:32.0466 5108 wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
20:42:32.0481 5108 wscsvc - ok
20:42:32.0481 5108 WSearch - ok
20:42:32.0606 5108 wuauserv (3026418a50c5b4761befa632cedb7406) C:\Windows\system32\wuaueng.dll
20:42:32.0622 5108 wuauserv - ok
20:42:32.0731 5108 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
20:42:32.0731 5108 WudfPf - ok
20:42:32.0747 5108 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
20:42:32.0747 5108 WUDFRd - ok
20:42:32.0778 5108 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
20:42:32.0778 5108 wudfsvc - ok
20:42:32.0793 5108 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
20:42:32.0793 5108 WwanSvc - ok
20:42:32.0825 5108 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
20:42:32.0871 5108 \Device\Harddisk0\DR0 - ok
20:42:32.0887 5108 Boot (0x1200) (6dab44c6b90a5f7c03c6cb1af55dcd26) \Device\Harddisk0\DR0\Partition0
20:42:32.0887 5108 \Device\Harddisk0\DR0\Partition0 - ok
20:42:32.0887 5108 Boot (0x1200) (8aac9f5ad1dfaa44681dbcd5f54c05f4) \Device\Harddisk0\DR0\Partition1
20:42:32.0887 5108 \Device\Harddisk0\DR0\Partition1 - ok
20:42:32.0887 5108 ============================================================
20:42:32.0887 5108 Scan finished
20:42:32.0887 5108 ============================================================
20:42:32.0903 5784 Detected object count: 0
20:42:32.0903 5784 Actual detected object count: 0
20:42:47.0348 4016 Deinitialize success

aswMBR Log: (Performed QuickScan - should I scan the entire C:\ drive?)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-25 20:42:55
-----------------------------
20:42:55.574 OS Version: Windows 6.1.7601 Service Pack 1
20:42:55.574 Number of processors: 4 586 0x2A07
20:42:55.574 ComputerName: CTSNJY18384 UserName:
20:42:56.495 Initialize success
20:44:13.899 AVAST engine defs: 12042501
20:44:17.784 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:44:17.799 Disk 0 Vendor: TOSHIBA_ MC10 Size: 305245MB BusType: 3
20:44:17.815 Disk 0 MBR read successfully
20:44:17.815 Disk 0 MBR scan
20:44:17.831 Disk 0 Windows 7 default MBR code
20:44:17.831 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 200 MB offset 2048
20:44:17.846 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305043 MB offset 411648
20:44:17.846 Disk 0 scanning sectors +625139712
20:44:17.909 Disk 0 scanning C:\Windows\system32\drivers
20:44:24.632 Service scanning
20:44:47.377 Modules scanning
20:44:55.083 Disk 0 trace - called modules:
20:44:55.099 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys watchdog.sys intelppm.sys ndis.sys NETwNs32.sys sbtis.sys DozeHDD.sys
20:44:55.598 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8817f030]
20:44:55.598 3 CLASSPNP.SYS[8cdab59e] -> nt!IofCallDriver -> [0x869d7838]
20:44:55.614 5 ACPI.sys[8c68a3d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x869e5028]
20:44:56.815 AVAST engine scan C:\Windows
20:44:59.124 AVAST engine scan C:\Windows\system32
20:46:33.520 AVAST engine scan C:\Windows\system32\drivers
20:46:41.803 AVAST engine scan C:\Users\ctsuser.CTSNJY18384
20:47:42.831 AVAST engine scan C:\ProgramData
20:47:57.541 Scan finished successfully
20:48:04.967 Disk 0 MBR has been saved successfully to "C:\Users\ctsuser.CTSNJY18384\Desktop\MBR.dat"
20:48:04.967 The log file has been saved successfully to "C:\Users\ctsuser.CTSNJY18384\Desktop\aswMBR.txt"


Redirected Google Search Results from Firefox 12 still persist. Seems like if you search for Las Vegas (after a reboot), the search results are always hijacked. This time it sent me to this URL: http://www.askthecrew.net/search/bc_tus4/innerxy.php?q=las%20vegas&xy=10673

I don't have any other symptoms of spyware or malware (no pop-ups or slow-downs) as far as I know and I'm really just concerned that I don't know exactly how compromised my system is. I use it everyday and don't notice any other issues other than the search results hijack.

Also, I have not tried uninstalling Firefox and removing all of its components (which I'm sure you will suggest soon).

Anyway, thanks again and please let me know what the next steps are.

-Josh

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:33 PM

Posted 26 April 2012 - 12:01 AM

I would like you to go to this site to see how to manage addons - http://www.ghacks.net/2008/11/18/manage-firefox-plugins/

I want you to look for this addon and disable it - "Performance Cache 1.0"


if there is no such addon then I want you to uninstall firefox and reinstall it


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 26 April 2012 - 11:18 AM

Performance Cache is not installed as a Plug-In.

I assume you want me to uninstall Firefox and ensure I uninstall all Preference and Cookies...please confirm

Thank you

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:33 PM

Posted 26 April 2012 - 01:46 PM

yes that is correct - you may keep bookmarks if you wish



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 26 April 2012 - 09:58 PM

So that appears to have fixed it. Tried the search terms where I was consistently getting redirected and I am no longer getting redirected. So I believe we have resolved this.

Thank you so much for the time and I will report back if it occurs again.

Have a good one

Edited by lax01, 26 April 2012 - 09:58 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:33 PM

Posted 26 April 2012 - 10:14 PM

Greetings

I am very glad that fixed the problem but we still have some work to do so it would be best to stay with me until I give the all clear

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 lax01

lax01
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 26 April 2012 - 10:57 PM

Sounds good.

No issues. No reboots.

Here's the log:

ComboFix 12-04-25.02 - joshua.brozen 04/26/2012 20:39:12.3.4 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3493.2517 [GMT -7:00]
Running from: c:\users\ctsuser.CTSNJY18384\Desktop\ComboFix.exe
Command switches used :: c:\users\ctsuser.CTSNJY18384\Desktop\CFscript.txt
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-03-27 to 2012-04-27 )))))))))))))))))))))))))))))))
.
.
2012-04-27 03:42 . 2012-04-27 03:42 -------- d-----w- c:\users\nss_admin\AppData\Local\temp
2012-04-27 03:42 . 2012-04-27 03:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-27 03:42 . 2012-04-27 03:42 -------- d-----w- c:\users\ctsuser1\AppData\Local\temp
2012-04-27 03:42 . 2012-04-27 03:42 -------- d-----w- c:\users\ctsuser\AppData\Local\temp
2012-04-27 03:42 . 2012-04-27 03:42 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-27 03:42 . 2012-04-27 03:42 -------- d-----w- c:\users\Administrator.NSS_PC\AppData\Local\temp
2012-04-27 03:36 . 2012-04-27 03:36 -------- d-----w- C:\QUARANTINE
2012-04-24 06:05 . 2012-04-18 10:06 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B357F1FE-9710-482C-AEF3-3B5B9510D2F4}\mpengine.dll
2012-04-24 04:10 . 2012-04-24 04:10 -------- d-----w- c:\users\ctsuser.CTSNJY18384\AppData\Roaming\Malwarebytes
2012-04-24 00:08 . 2012-01-13 14:47 611224 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-04-21 01:06 . 2012-04-27 03:42 -------- d-----w- c:\users\ctsuser.CTSNJY18384\AppData\Local\temp
2012-04-19 16:14 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2012-04-19 00:59 . 2011-12-27 01:10 33080 ----a-w- c:\windows\system32\drivers\psadd.sys
2012-04-18 17:09 . 2011-04-06 00:35 94040 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-04-18 17:09 . 2011-04-06 00:35 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-04-18 17:09 . 2011-02-08 16:14 69208 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-04-18 17:09 . 2011-04-06 00:35 221784 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-04-18 16:56 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-18 16:56 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-18 16:56 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-18 16:56 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-18 16:56 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-18 16:56 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-18 16:52 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-04-18 16:52 . 2012-02-03 03:54 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-04-18 16:52 . 2012-01-25 05:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-18 16:52 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-18 16:52 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-18 16:52 . 2012-02-17 05:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-18 16:52 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-04-18 16:52 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-18 16:52 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-04-10 02:25 . 2012-04-17 02:51 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 01:34 . 2012-04-10 01:34 -------- d-----w- c:\users\ctsuser.CTSNJY18384\AppData\Local\{7730191F-8261-11E1-826D-B8AC6F996F26}
2012-04-04 05:53 . 2012-04-04 05:53 182160 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-17 02:51 . 2011-06-14 08:40 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 17:18 . 2011-01-20 08:09 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 19:09 . 2012-02-14 19:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-04-21 01:19 . 2012-04-27 02:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-07-15 2282792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-15 316032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Antivirus]
c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2011-03-16 01:42 499608 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCKRESI.EXE]
2011-04-04 22:23 281960 ----a-w- c:\program files\Lenovo\AutoLock\ALCKRESI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Communicator]
2009-03-14 21:12 5731152 ----a-w- c:\program files\Microsoft Office Communicator\communicator.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ForteConfig]
2010-10-26 21:39 49568 ------w- c:\program files\CONEXANT\ForteConfig\fmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-01-20 17:16 136176 ----atw- c:\users\ctsuser.CTSNJY18384\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-10-04 03:32 177432 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-10-04 03:32 142616 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSS]
2011-01-17 14:41 112152 ----a-w- c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LENOVO.TPKNRRES]
2010-12-17 02:01 41320 ----a-w- c:\program files\Lenovo\Communications Utility\TpKnrres.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 07:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-10-04 03:32 176408 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
2011-07-04 07:02 1299816 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RotateImage]
2008-10-30 19:23 31744 ----a-w- c:\program files\Integrated Camera Driver\RCIMGDIR.exe
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2011-03-04 132096]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-17 253088]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-12-15 45352]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-01-20 29472]
R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2011-07-04 292200]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-02-27 132480]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-11-09 126064]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-06-14 85152]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2011-07-04 83304]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2009-10-26 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2009-09-28 38912]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-03-09 1006624]
R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [2011-02-08 69208]
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2011-04-06 94040]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-20 1343400]
R4 enstart;enstart;c:\windows\system32\enstart.exe [2012-01-13 929792]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2011-07-04 25968]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-06-14 162928]
S1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2012-01-13 77760]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2010-09-07 13680]
S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2011-04-06 221784]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2011-04-06 78936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg32.exe [2010-12-17 190592]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\Intel\Services\IPT\jhi_service.exe [2011-02-07 210896]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-12-17 40808]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-12-17 59240]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-06-14 145936]
S2 PwmEWSvc;Cisco EnergyWise Enabler;c:\program files\ThinkPad\Utilities\PWMEWSVC.EXE [2011-07-04 148840]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc86.sys [2011-03-23 75264]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe [2010-11-19 446592]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-17 2656280]
S3 e1cexpress;Intel® PRO/1000 PCI Express Network Connection Driver C;c:\windows\system32\DRIVERS\e1c6232.sys [2010-12-21 238760]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-08-23 270336]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-05-01 7513088]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [2011-02-08 69208]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 02:51]
.
2012-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1980314247-1365648935-1728094946-1001Core.job
- c:\users\ctsuser.CTSNJY18384\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 17:16]
.
2012-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1980314247-1365648935-1728094946-1001UA.job
- c:\users\ctsuser.CTSNJY18384\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.na.mattel.com/CookieAuth.dll?GetLogon?reason=2&formdir=5&curl=Z2Fowa
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\ctsuser.CTSNJY18384\AppData\Roaming\Mozilla\Firefox\Profiles\7xvfariy.default\
FF - prefs.js: browser.startup.homepage - google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-04-26 20:43:25
ComboFix-quarantined-files.txt 2012-04-27 03:43
.
Pre-Run: 288,957,575,168 bytes free
Post-Run: 288,965,103,616 bytes free
.
- - End Of File - - 2F7999EB7262722AB707CB0C88571C11



Are you going to compare to the older log? If not, what are you looking for?

Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users