Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

0Access rootkit disables firewalls, kills MS Access


  • This topic is locked This topic is locked
23 replies to this topic

#1 Editor in NC

Editor in NC

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 21 August 2012 - 05:21 PM

One of the machines in our small-business/home office network (running Windows Vista) is infected with the 0Access rootkit, according to Malwarebytes AntiVirus. Symptoms include disabling both Windows and McAfee security systems; turning off firewalls and disabling controls to turn them back on ("Windows Security Center: X Security Center can't change your automatic updating settings;" "Windows Firewall was unable to make the requested updates.") I found the "wscsvc" service was entirely missing from the registry, but was able to find a download from a Microsoft page that recreated the keys, so at least the Security Service runs enough to show which components can't be run. McAfee Internet Security, a new installation in December 2011, can't be run at all: Just a blank white space appears in place of the window when I try to start it manually. Other symptoms: MS Access 2000 won't start (Zero Access, I suppose) or to be more specific, it vanished just after starting up.

One especially worrisome possibility: The website that our business depends on was hacked last week. Our host told us that the FTP password had been cracked and the bad guys downloaded the entire site, injected it with malicious scripts, and uploaded it again by FTP. That seems to suggest the password was stolen from the infected computer, or that the FTP software was actively hijacked.

I've done the specified preliminaries: Run DeFogger to disable any CD Emulation drivers; run DDS (dds.txt follows, and Attach.txt is attached below); and run GMER (ark.txt is also attached.)

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_04
Run by Kate at 22:34:59 on 2012-08-20
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1472 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Firebird\bin\fbguard.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\ManageEngine\ServiceDesk\bin\wrapper.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\ManageEngine\ServiceDesk\jre\bin\java.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Firebird\bin\fbserver.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\taskeng.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\RtHDVCpl.exe
C:\QuickBooks 2008\QBDBMgrN.exe
C:\Program Files\IOI\ButtonMonitor.exe
C:\Program Files\Spy Doctor PC Tools Security\pctsGui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Users\Kate\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Kate\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5668E
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: AlxHelper Class: {f443a627-5009-4323-9c1d-7fd598d0d712} - c:\program files\amazon browser bar\AmazonBrowserBar.3.0.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [AROReminder] c:\program files\aro 2011\ARO.exe -rem
uRun: [Akamai NetSession Interface] "c:\users\kate\appdata\local\akamai\netsession_win.exe"
uRun: [AdobeBridge]
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickBooksDB18] c:\quickbooks 2008\qbdbmgrn.exe -n qb_kate-pc_18 -qs -gd all -gk all -gp 4096 -gu all -ch 64m -c 32m -x tcpip(broadcastlistener=no;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe c:\users\kate\appdata\local\intuit\quickb~1\log\DBSTAR~1.LOG -y
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking11\Ereg.ini
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [ButtonMonitor] c:\program files\ioi\ButtonMonitor.exe
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [ISTray] "c:\program files\spy doctor pc tools security\pctsGui.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [tstco] ",AGETDEVICE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit data protect.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickbooks update agent.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickbooks_standard_21.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secunia psi tray.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: LocalAccountTokenFilterPolicy = 1 (0x1)
IE: &Search - ?p=GRxdm012YYUS
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Software
IE: Software\PepiMK Software
IE: Software\PepiMK Software\SpybotSnD
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
Trusted Zone: ebay.com
Trusted Zone: listen.com\www
DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab
DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{75DA16F0-2E37-4EDB-8A55-B4A59D61E1FD} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ED302CAA-38BE-4F9E-BCA4-3451E68354E2} : DhcpNameServer = 192.168.100.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kate\appdata\roaming\mozilla\firefox\profiles\uimbrxzi.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_271.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-8 554048]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-3-11 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-3-11 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-3-11 656320]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-5-8 206784]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2012-7-21 401920]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-9-24 296808]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\bin\fbguard.exe [2010-5-20 81920]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-27 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-5-31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-10-30 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-8-20 655944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-25 95232]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-5-8 168280]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-5-8 168280]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-8 200816]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackuppro\MemeoBackgroundService.exe [2009-11-16 25824]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-8 168368]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-8 166320]
R2 MsDepSvc;Web Deployment Agent Service;c:\program files\iis\microsoft web deploy\MsDepSvc.exe [2011-4-1 67400]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2010-9-16 80896]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-3-5 1248256]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-25 810320]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-6-27 1326176]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-6-27 681056]
R2 servicedesk;ManageEngine ServiceDesk Plus;c:\manageengine\servicedesk\bin\wrapper.exe -s c:\manageengine\servicedesk\bin\\..\server\default\conf\wrapper.conf --> c:\manageengine\servicedesk\bin\wrapper.exe -s c:\manageengine\servicedesk\bin\\..\server\default\conf\wrapper.conf [?]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-1-6 4408616]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 102400]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-1-6 112936]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-8 60480]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\bin\fbserver.exe [2010-5-20 2723840]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-8-20 22344]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-5-8 230224]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-5-8 61912]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-8 360792]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2011-12-16 15544]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2010-1-6 13224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-13 135664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-30 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-13 135664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-8-9 146872]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-23 23040]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-8 92192]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-30 113120]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-1-6 15656]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
.
=============== Created Last 30 ================
.
2012-08-20 20:30:52 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-20 20:30:52 -------- d-----w- c:\programdata\Malwarebytes
2012-08-20 20:30:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-20 20:07:47 -------- d--h--w- C:\kleaner.tmp
2012-08-09 17:17:20 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2012-07-30 17:21:01 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2012-07-30 17:20:38 -------- d-----w- c:\program files\common files\xing shared
2012-07-30 17:20:22 150736 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2012-07-30 17:20:09 129176 ----a-w- c:\program files\mozilla firefox\plugins\nprpplugin.dll
2012-07-30 17:17:26 -------- d-----w- c:\program files\Amazon Browser Bar
.
==================== Find3M ====================
.
2012-08-14 23:34:18 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-14 23:34:18 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-30 17:19:57 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-22 11:58:12 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-22 11:55:18 206784 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-06-22 11:53:56 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-22 11:53:48 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-22 11:52:38 554048 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-06-22 11:51:46 360792 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-22 11:51:16 61912 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-22 11:50:56 230224 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-22 11:50:24 127992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-05-31 16:25:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2008-10-28 17:52:55 7390 ----a-w- c:\program files\xpress.reg
2008-10-28 17:52:45 4859904 ----a-w- c:\program files\QuarkXPress.exe
.
============= FINISH: 22:35:53.39 ===============

ARK.txt (generated by GMER.exe) follows:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-21 18:38:40
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\0000005d WDC_WD32 rev.01.0
Running: GMER.exe; Driver: C:\Users\Kate\AppData\Local\Temp\kwtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x835CAF68]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x835CB230]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x835CA9D8]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x835CB52C]

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8364EF08]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8364EF1E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8364EEF4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82A671C0 5 Bytes JMP 8364EEF8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetTimerEx + 43C 82AF8B00 8 Bytes [68, AF, 5C, 83, 30, B2, 5C, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 854 82AF8F18 4 Bytes [D8, A9, 5C, 83]
.text ntkrnlpa.exe!KeSetTimerEx + 918 82AF8FDC 4 Bytes [2C, B5, 5C, 83]
PAGE ntkrnlpa.exe!NtMapViewOfSection 82C6480E 7 Bytes JMP 8364EF0C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82C64E65 5 Bytes JMP 8364EF22 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x90002340, 0x39DB57, 0xE8000020]
PAGE spsys.sys!?SPVersion@@3PADA + 1A67 9F65003F 240 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B58 9F650130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1B5F 9F650137 2214 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 2406 9F6509DE 47 Bytes [04, BB, A8, 01, 00, 00, 8D, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 2436 9F650A0E 44 Bytes [05, 00, 00, 39, 54, 8D, D0, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\svchost.exe[12] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 01C70000
.text C:\Windows\System32\svchost.exe[12] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 01C7003D
.text C:\Windows\System32\svchost.exe[12] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 01C7002C
.text C:\Windows\System32\svchost.exe[12] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 01C7001B
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00D00F66
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00D00F81
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00D000E2
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00D00F4B
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00D00080
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00D0001E
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00D0006F
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00D00054
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00D0009B
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00D00FB2
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00D00039
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00D000AC
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00D00F26
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00D00FDE
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00D00FEF
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00D00FCD
.text C:\Windows\System32\svchost.exe[12] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00D000C7
.text C:\Windows\System32\svchost.exe[12] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 01CD0055
.text C:\Windows\System32\svchost.exe[12] msvcrt.dll!system 76788B63 5 Bytes JMP 01CD0044
.text C:\Windows\System32\svchost.exe[12] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 01CD0029
.text C:\Windows\System32\svchost.exe[12] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 01CD0FEF
.text C:\Windows\System32\svchost.exe[12] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 01CD0FD4
.text C:\Windows\System32\svchost.exe[12] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 01CD000C
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 01CE002C
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 01CE0F8A
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 01CE0000
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 01CE001B
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 01CE0F6F
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 01CE0FC0
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 01CE0FE5
.text C:\Windows\System32\svchost.exe[12] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 01CE0FAF
.text C:\Windows\System32\svchost.exe[12] WS2_32.dll!socket 766836D1 5 Bytes JMP 01CC0FE5
.text C:\Windows\System32\svchost.exe[12] WININET.dll!InternetOpenA 76EF0A4D 5 Bytes JMP 03340FEF
.text C:\Windows\System32\svchost.exe[12] WININET.dll!InternetOpenUrlA 76EF2713 5 Bytes JMP 03340FD4
.text C:\Windows\System32\svchost.exe[12] WININET.dll!InternetOpenW 76EF30C8 5 Bytes JMP 0334000A
.text C:\Windows\System32\svchost.exe[12] WININET.dll!InternetOpenUrlW 76F484F1 5 Bytes JMP 03340FB9
.text C:\Windows\system32\services.exe[860] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00190000
.text C:\Windows\system32\services.exe[860] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00190FE5
.text C:\Windows\system32\services.exe[860] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 0019002C
.text C:\Windows\system32\services.exe[860] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00190011
.text C:\Windows\system32\services.exe[860] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00180F5F
.text C:\Windows\system32\services.exe[860] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 001800A5
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 001800D4
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00180F3D
.text C:\Windows\system32\services.exe[860] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 0018008A
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00180FCD
.text C:\Windows\system32\services.exe[860] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00180079
.text C:\Windows\system32\services.exe[860] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00180043
.text C:\Windows\system32\services.exe[860] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00180F95
.text C:\Windows\system32\services.exe[860] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00180068
.text C:\Windows\system32\services.exe[860] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00180FBC
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00180F84
.text C:\Windows\system32\services.exe[860] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 001800E5
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00180FDE
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00180FEF
.text C:\Windows\system32\services.exe[860] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 0018001E
.text C:\Windows\system32\services.exe[860] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00180F4E
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 002A0FAF
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 002A0FC0
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 002A0000
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 002A0051
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 002A0F94
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 002A002C
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 002A001B
.text C:\Windows\system32\services.exe[860] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 002A0FD1
.text C:\Windows\system32\services.exe[860] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 001C0FA8
.text C:\Windows\system32\services.exe[860] msvcrt.dll!system 76788B63 5 Bytes JMP 001C0033
.text C:\Windows\system32\services.exe[860] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 001C0FDE
.text C:\Windows\system32\services.exe[860] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 001C000C
.text C:\Windows\system32\services.exe[860] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 001C0FC3
.text C:\Windows\system32\services.exe[860] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\services.exe[860] WS2_32.dll!socket 766836D1 5 Bytes JMP 001A0FEF
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 002D000A
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 002D0036
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\svchost.exe[896] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 002D0025
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00280F5F
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00280F70
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 002800D1
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 002800C0
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00280F81
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00280014
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 0028005B
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00280040
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00280076
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00280F9E
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 0028002F
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 0028009B
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 002800EC
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00280FDE
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00280FCD
.text C:\Windows\system32\svchost.exe[896] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00280F44
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 002F0038
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!system 76788B63 5 Bytes JMP 002F0FB7
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 002F0FC8
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 002F0FEF
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 002F0027
.text C:\Windows\system32\svchost.exe[896] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 002F000C
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00300076
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 0030004A
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00300FEF
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 0030005B
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00300087
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 0030002F
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 0030000A
.text C:\Windows\system32\svchost.exe[896] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00300FDE
.text C:\Windows\system32\svchost.exe[896] WS2_32.dll!socket 766836D1 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\lsass.exe[924] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\lsass.exe[924] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 001F0FCD
.text C:\Windows\system32\lsass.exe[924] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 001F0014
.text C:\Windows\system32\lsass.exe[924] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 001F0FDE
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 001E00B0
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 001E0F6A
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 001E00D2
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 001E0F3B
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 001E0F8F
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 001E0FB6
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 001E0069
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 001E0033
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 001E007A
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 001E004E
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 001E0022
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 001E0095
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 001E00E3
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 001E0011
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 001E0000
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 001E0FDB
.text C:\Windows\system32\lsass.exe[924] kernel32.dll!WinExec 759454FF 5 Bytes JMP 001E00C1
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 005B0036
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 005B0014
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 005B0FEF
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 005B0025
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 005B0047
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 005B0FC3
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 005B0FDE
.text C:\Windows\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 005B0FA8
.text C:\Windows\system32\lsass.exe[924] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00210044
.text C:\Windows\system32\lsass.exe[924] msvcrt.dll!system 76788B63 5 Bytes JMP 00210033
.text C:\Windows\system32\lsass.exe[924] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00210011
.text C:\Windows\system32\lsass.exe[924] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00210000
.text C:\Windows\system32\lsass.exe[924] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00210022
.text C:\Windows\system32\lsass.exe[924] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00210FE3
.text C:\Windows\system32\lsass.exe[924] WS2_32.dll!socket 766836D1 5 Bytes JMP 00200FEF
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00A60FE5
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00A60025
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00A60FCA
.text C:\Windows\System32\svchost.exe[1056] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00A60000
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00A500AE
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00A5009D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00A500DA
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00A50F4D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00A50067
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00A50025
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00A50F8D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00A50FB9
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00A50F72
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00A50F9E
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00A50040
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00A50082
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00A50F28
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00A50FE5
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00A50000
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00A50FD4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00A500BF
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00B4003A
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!system 76788B63 5 Bytes JMP 00B40029
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00B40FDE
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00B40000
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00B40FB9
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00B40FEF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00B50036
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00B5001B
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00B50FEF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00B50F94
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00B50047
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00B50FC0
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00B50000
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00B50FAF
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00680FEF
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00680036
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00680025
.text C:\Windows\system32\svchost.exe[1072] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00680014
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 006700B5
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 006700A4
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00670F2F
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 006700D0
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00670078
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00670FB9
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 0067005D
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00670025
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00670093
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00670036
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00670F9E
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00670F79
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 006700E1
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00670FD4
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00670FEF
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 0067000A
.text C:\Windows\system32\svchost.exe[1072] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00670F54
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 006E004E
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!system 76788B63 5 Bytes JMP 006E003D
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 006E0FD7
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 006E0000
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 006E002C
.text C:\Windows\system32\svchost.exe[1072] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 006E0011
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 006F002F
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 006F0F8D
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 006F0FEF
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 006F001E
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 006F0F7C
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 006F0FB9
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 006F0FDE
.text C:\Windows\system32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 006F0F9E
.text C:\Windows\system32\svchost.exe[1072] WS2_32.dll!socket 766836D1 5 Bytes JMP 006D0FEF
.text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 002C0FE5
.text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 002C0FB6
.text C:\Windows\system32\svchost.exe[1128] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 002C0011
.text C:\Windows\system32\svchost.exe[1128] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00270F62
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 002700B2
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 002700E5
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 002700D4
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00270F9B
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 0027001B
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00270075
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 0027003D
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00270086
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00270058
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 0027002C
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 002700A1
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00270F33
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00270FD4
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00270FEF
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 0027000A
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!WinExec 759454FF 5 Bytes JMP 002700C3
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00320FBE
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!system 76788B63 5 Bytes JMP 00320FCF
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 0032002E
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00320000
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00320049
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00320011
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00940036
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00940FAF
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00940FE5
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00940F94
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00940F79
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00940FD4
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 0094000A
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 0094001B
.text C:\Windows\system32\svchost.exe[1128] WS2_32.dll!socket 766836D1 5 Bytes JMP 00310FEF
.text C:\Windows\System32\svchost.exe[1188] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 008F0000
.text C:\Windows\System32\svchost.exe[1188] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 008F001B
.text C:\Windows\System32\svchost.exe[1188] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 008F0FCA
.text C:\Windows\System32\svchost.exe[1188] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 008F0FE5
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 008E0F35
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 008E0F50
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 008E0EFF
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 008E0096
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 008E0067
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 008E0FA8
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 008E0040
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 008E001E
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 008E0F72
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 008E002F
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 008E0F97
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 008E0F61
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 008E0EE4
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 008E0FCA
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 008E0FEF
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 008E0FB9
.text C:\Windows\System32\svchost.exe[1188] kernel32.dll!WinExec 759454FF 5 Bytes JMP 008E0F1A
.text C:\Windows\System32\svchost.exe[1188] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00950F8B
.text C:\Windows\System32\svchost.exe[1188] msvcrt.dll!system 76788B63 5 Bytes JMP 00950020
.text C:\Windows\System32\svchost.exe[1188] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00950FB7
.text C:\Windows\System32\svchost.exe[1188] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00950FE3
.text C:\Windows\System32\svchost.exe[1188] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00950FA6
.text C:\Windows\System32\svchost.exe[1188] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00950FD2
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00960F8D
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00960FAF
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00960FEF
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00960F9E
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00960F72
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 0096001B
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00960000
.text C:\Windows\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00960FCA
.text C:\Windows\System32\svchost.exe[1188] WS2_32.dll!socket 766836D1 5 Bytes JMP 00940FEF
.text C:\Windows\System32\svchost.exe[1212] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00C0000A
.text C:\Windows\System32\svchost.exe[1212] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00C00036
.text C:\Windows\System32\svchost.exe[1212] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00C00025
.text C:\Windows\System32\svchost.exe[1212] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00C00FEF
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 009F00FC
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 009F00EB
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 009F013C
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 009F0FA5
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 009F0FDB
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 009F0047
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 009F00B5
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 009F007D
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 009F00D0
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 009F0098
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 009F0058
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 009F0FC0
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 009F014D
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 009F001B
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 009F0000
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 009F002C
.text C:\Windows\System32\svchost.exe[1212] kernel32.dll!WinExec 759454FF 5 Bytes JMP 009F0121
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00C20FBE
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!system 76788B63 5 Bytes JMP 00C20FCF
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00C2002E
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00C2000C
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00C2003F
.text C:\Windows\System32\svchost.exe[1212] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00C2001D
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00C7005B
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00C70FB9
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00C70FEF
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00C70040
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00C70F9E
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00C70FCA
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00C7000A
.text C:\Windows\System32\svchost.exe[1212] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00C70025
.text C:\Windows\System32\svchost.exe[1212] WS2_32.dll!socket 766836D1 5 Bytes JMP 00C10FE5
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 01170000
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 0117002C
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 0117001B
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 01170FE5
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 010E0F72
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 010E00B8
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 010E0F61
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 010E00F8
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 010E0F97
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 010E002F
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 010E0071
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 010E0FB9
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 758D8D7E 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 010E0082
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 010E0FA8
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 010E0040
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 010E009D
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 010E0113
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 010E0FEF
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 010E000A
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 010E0FDE
.text C:\Windows\system32\svchost.exe[1228] kernel32.dll!WinExec 759454FF 5 Bytes JMP 010E00DD
.text C:\Windows\system32\svchost.exe[1228] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 011D0066
.text C:\Windows\system32\svchost.exe[1228] msvcrt.dll!system 76788B63 5 Bytes JMP 011D0055
.text C:\Windows\system32\svchost.exe[1228] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 011D0FEF
.text C:\Windows\system32\svchost.exe[1228] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 011D0000
.text C:\Windows\system32\svchost.exe[1228] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 011D0044
.text C:\Windows\system32\svchost.exe[1228] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 011D001D
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 011E0073
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 011E0FD1
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 011E0000
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 011E0062
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 011E0FB6
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 011E002C
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 011E0011
.text C:\Windows\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 011E003D
.text C:\Windows\system32\svchost.exe[1228] WS2_32.dll!socket 766836D1 5 Bytes JMP 01180FEF
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00DF0FE5
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00DF0FB9
.text C:\Windows\system32\svchost.exe[1352] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00DF0FD4
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00DE00BF
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00DE0F79
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00DE0F28
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00DE0F43
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00DE0F9E
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00DE0014
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00DE0076
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00DE0040
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00DE0093
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00DE0065
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00DE002F
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00DE00AE
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00DE00DA
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00DE0FDE
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00DE0FC3
.text C:\Windows\system32\svchost.exe[1352] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00DE0F68
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 0101003D
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!system 76788B63 5 Bytes JMP 01010FB2
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 01010FDE
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 01010FEF
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 01010FC3
.text C:\Windows\system32\svchost.exe[1352] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 01010018
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 01060F94
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 01060FB9
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 01060000
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 01060036
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 01060F83
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 01060FEF
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 0106001B
.text C:\Windows\system32\svchost.exe[1352] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 01060FCA
.text C:\Windows\system32\svchost.exe[1352] WS2_32.dll!socket 766836D1 5 Bytes JMP 01000FEF
.text C:\Windows\system32\svchost.exe[1352] WinInet.dll!InternetOpenA 76EF0A4D 5 Bytes JMP 01070000
.text C:\Windows\system32\svchost.exe[1352] WinInet.dll!InternetOpenUrlA 76EF2713 5 Bytes JMP 01070025
.text C:\Windows\system32\svchost.exe[1352] WinInet.dll!InternetOpenW 76EF30C8 5 Bytes JMP 01070FE5
.text C:\Windows\system32\svchost.exe[1352] WinInet.dll!InternetOpenUrlW 76F484F1 5 Bytes JMP 01070FD4
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00CB0FEF
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00CB0FA8
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00CB0FC3
.text C:\Windows\system32\svchost.exe[1644] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00CB0FD4
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00C60F57
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00C6009D
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00C60F3C
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00C600C9
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00C6006E
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00C60FB9
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00C60051
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00C60025
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00C60F79
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00C60040
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00C60F9E
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00C60F68
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00C60F2B
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00C60FDE
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00C60FEF
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00C6000A
.text C:\Windows\system32\svchost.exe[1644] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00C600B8
.text C:\Windows\system32\svchost.exe[1644] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00CD0031
.text C:\Windows\system32\svchost.exe[1644] msvcrt.dll!system 76788B63 5 Bytes JMP 00CD0FA6
.text C:\Windows\system32\svchost.exe[1644] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00CD0016
.text C:\Windows\system32\svchost.exe[1644] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00CD0FEF
.text C:\Windows\system32\svchost.exe[1644] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00CD0FB7
.text C:\Windows\system32\svchost.exe[1644] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00CD0FD2
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00CF0F5E
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00CF000A
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00CF0FE5
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00CF0F83
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00CF0F43
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00CF0FB9
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00CF0FD4
.text C:\Windows\system32\svchost.exe[1644] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00CF0FA8
.text C:\Windows\system32\svchost.exe[1644] WS2_32.dll!socket 766836D1 5 Bytes JMP 00CC0FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 03A80FEF
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 03A80FB9
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 03A8000A
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 03A80FDE
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 03A7005E
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 03A70F22
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 03A70094
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 03A70079
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 03A70F5F
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 03A70FB9
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 03A70039
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 03A70F8D
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 03A70F44
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 03A70F7C
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 03A70FA8
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 03A70F33
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 03A700A5
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 03A70FD4
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 03A70FE5
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 03A7000A
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] kernel32.dll!WinExec 759454FF 5 Bytes JMP 03A70EFD
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 03AA0049
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] msvcrt.dll!system 76788B63 5 Bytes JMP 03AA0038
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 03AA001D
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 03AA000C
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 03AA0FC8
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 03AA0FE3
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 03AB0FB9
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 03AB005B
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 03AB0000
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 03AB0FCA
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 03AB0F9E
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 03AB002C
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 03AB0011
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 03AB0FE5
.text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2432] WS2_32.dll!socket 766836D1 5 Bytes JMP 03A90FEF
.text C:\Windows\system32\svchost.exe[3056] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[3056] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00230025
.text C:\Windows\system32\svchost.exe[3056] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00230FCA
.text C:\Windows\system32\svchost.exe[3056] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 001E0F79
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 001E00B5
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 001E00EB
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 001E00DA
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 001E0089
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 001E0FCA
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 001E006C
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 001E0FB9
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 001E0F94
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 001E005B
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 001E0036
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 001E00A4
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 001E00FC
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 001E001B
.text C:\Windows\system32\svchost.exe[3056] kernel32.dll!WinExec 759454FF 5 Bytes JMP 001E0F5E
.text C:\Windows\system32\svchost.exe[3056] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 002B0F92
.text C:\Windows\system32\svchost.exe[3056] msvcrt.dll!system 76788B63 5 Bytes JMP 002B001D
.text C:\Windows\system32\svchost.exe[3056] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 002B0FB7
.text C:\Windows\system32\svchost.exe[3056] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 002B0FEF
.text C:\Windows\system32\svchost.exe[3056] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 002B000C
.text C:\Windows\system32\svchost.exe[3056] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 002B0FDE
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 0092003D
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00920022
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00920FEF
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00920F9B
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00920F8A
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00920FD4
.text C:\Windows\system32\svchost.exe[3056] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00920011
.text C:\Windows\system32\svchost.exe[3056] WS2_32.dll!socket 766836D1 5 Bytes JMP 002A0000
.text C:\Windows\system32\svchost.exe[3124] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00D60000
.text C:\Windows\system32\svchost.exe[3124] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00D60FB9
.text C:\Windows\system32\svchost.exe[3124] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00D60FCA
.text C:\Windows\system32\svchost.exe[3124] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 00D60FE5
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00D00091
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00D00080
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00D00F29
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateProcessA 758B1C36 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00D00F3A
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00D00065
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00D00014
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00D00F8B
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00D00039
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00D00F70
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00D00054
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00D00FA8
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00D00F55
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00D000D1
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00D00FDE
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00D00FEF
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00D00FCD
.text C:\Windows\system32\svchost.exe[3124] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00D000AC
.text C:\Windows\system32\svchost.exe[3124] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00D80053
.text C:\Windows\system32\svchost.exe[3124] msvcrt.dll!system 76788B63 5 Bytes JMP 00D80FBE
.text C:\Windows\system32\svchost.exe[3124] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00D8001D
.text C:\Windows\system32\svchost.exe[3124] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00D80FEF
.text C:\Windows\system32\svchost.exe[3124] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00D8002E
.text C:\Windows\system32\svchost.exe[3124] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00D8000C
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00DD0FAF
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00DD0047
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00DD0FCA
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00DD006C
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00DD0036
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00DD001B
.text C:\Windows\system32\svchost.exe[3124] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00DD0FDB
.text C:\Windows\system32\svchost.exe[3124] WS2_32.dll!socket 766836D1 5 Bytes JMP 00D70000
.text C:\Windows\System32\svchost.exe[3156] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 000A0000
.text C:\Windows\System32\svchost.exe[3156] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 000A0040
.text C:\Windows\System32\svchost.exe[3156] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 000A0FE5
.text C:\Windows\System32\svchost.exe[3156] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 000A0011
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 0005008E
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 0005007D
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 000500C4
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 000500A9
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00050F70
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 0005002F
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 0005004A
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00050F9E
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 0005005B
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00050F8D
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00050FC3
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 0005006C
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00050F12
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00050FD4
.text C:\Windows\System32\svchost.exe[3156] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00050F2D
.text C:\Windows\System32\svchost.exe[3156] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 000C0039
.text C:\Windows\System32\svchost.exe[3156] msvcrt.dll!system 76788B63 5 Bytes JMP 000C0FA4
.text C:\Windows\System32\svchost.exe[3156] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 000C000A
.text C:\Windows\System32\svchost.exe[3156] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 000C0FE3
.text C:\Windows\System32\svchost.exe[3156] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 000C0FB5
.text C:\Windows\System32\svchost.exe[3156] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 000C0FC6
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 000D0FBC
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 000D0039
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 000D0FEF
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 000D0054
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 000D006F
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 000D0FDE
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 000D000A
.text C:\Windows\System32\svchost.exe[3156] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 000D0FCD
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3708] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 6D3981B0 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[3708] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 6D3980B0 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[4728] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00040FEF
.text C:\Windows\Explorer.EXE[4728] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00040FB9
.text C:\Windows\Explorer.EXE[4728] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00040FD4
.text C:\Windows\Explorer.EXE[4728] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 0004000A
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00010F37
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 0001007D
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00010F1C
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 000100B3
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00010F88
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00010FB9
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00010062
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00010040
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00010F6D
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00010051
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00010025
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 00010F52
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00010F0B
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00010FD4
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00010FE5
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[4728] kernel32.dll!WinExec 759454FF 5 Bytes JMP 00010098
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00060FB2
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 0006004A
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00060FCD
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00060FA1
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 00060025
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[4728] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00060FDE
.text C:\Windows\Explorer.EXE[4728] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00070050
.text C:\Windows\Explorer.EXE[4728] msvcrt.dll!system 76788B63 5 Bytes JMP 0007003F
.text C:\Windows\Explorer.EXE[4728] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 0007002E
.text C:\Windows\Explorer.EXE[4728] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00070000
.text C:\Windows\Explorer.EXE[4728] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00070FCF
.text C:\Windows\Explorer.EXE[4728] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 0007001D
.text C:\Windows\Explorer.EXE[4728] WININET.dll!InternetOpenA 76EF0A4D 5 Bytes JMP 00980FEF
.text C:\Windows\Explorer.EXE[4728] WININET.dll!InternetOpenUrlA 76EF2713 5 Bytes JMP 00980FCA
.text C:\Windows\Explorer.EXE[4728] WININET.dll!InternetOpenW 76EF30C8 5 Bytes JMP 00980000
.text C:\Windows\Explorer.EXE[4728] WININET.dll!InternetOpenUrlW 76F484F1 5 Bytes JMP 00980FAF
.text C:\Windows\Explorer.EXE[4728] WS2_32.dll!socket 766836D1 5 Bytes JMP 03890FEF
.text C:\Program Files\Spy Doctor PC Tools Security\pctsGui.exe[5368] kernel32.dll!CreateThread + 1A 758F46E2 4 Bytes CALL 0044BB9D C:\Program Files\Spy Doctor PC Tools Security\pctsGui.exe (PC Tools GUI Application/PC Tools)
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[5404] kernel32.dll!SetUnhandledExceptionFilter 758D6E2D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ntdll.dll!NtCreateFile 770A8008 5 Bytes JMP 00040000
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ntdll.dll!NtCreateProcess 770A80C8 5 Bytes JMP 00040FCA
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ntdll.dll!NtProtectVirtualMemory 770A8968 5 Bytes JMP 00040FE5
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ntdll.dll!KiUserExceptionDispatcher 770A99E8 5 Bytes JMP 0004001B
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!GetStartupInfoW 758B1929 5 Bytes JMP 00010F0B
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!GetStartupInfoA 758B19C9 5 Bytes JMP 00010F30
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreateProcessW 758B1C01 5 Bytes JMP 00010EDF
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreateProcessA 758B1C36 5 Bytes JMP 00010EFA
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!VirtualProtect 758B1DD1 5 Bytes JMP 00010F66
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreateNamedPipeW 758B5C44 5 Bytes JMP 00010025
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!LoadLibraryExW 758D30C3 5 Bytes JMP 00010F8D
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!LoadLibraryW 758D361F 5 Bytes JMP 00010FAF
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!VirtualProtectEx 758D8D7E 5 Bytes JMP 00010F55
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!LoadLibraryExA 758D9469 5 Bytes JMP 00010F9E
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!LoadLibraryA 758D9491 5 Bytes JMP 00010040
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreatePipe 758E0284 5 Bytes JMP 0001005B
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!GetProcAddress 758FB8B6 5 Bytes JMP 00010ECE
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreateFileW 758FCC4E 5 Bytes JMP 00010FDE
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreateFileA 758FCF71 5 Bytes JMP 00010FEF
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!CreateNamedPipeA 7594430E 5 Bytes JMP 00010014
.text c:\windows\system32\inetsrv\w3wp.exe[6020] kernel32.dll!WinExec 759454FF 5 Bytes JMP 0001006C
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegCreateKeyExA 7687B5E7 5 Bytes JMP 00050FAF
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegCreateKeyA 7687B8AE 5 Bytes JMP 00050036
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegOpenKeyA 76880BF5 5 Bytes JMP 00050000
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegCreateKeyW 7688B83D 5 Bytes JMP 00050051
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegCreateKeyExW 7688BCE1 5 Bytes JMP 00050F9E
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegOpenKeyExA 7688D4E8 5 Bytes JMP 0005001B
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegOpenKeyW 76893CB0 5 Bytes JMP 00050FE5
.text c:\windows\system32\inetsrv\w3wp.exe[6020] ADVAPI32.dll!RegOpenKeyExW 7689F09D 5 Bytes JMP 00050FCA
.text c:\windows\system32\inetsrv\w3wp.exe[6020] msvcrt.dll!_wsystem 76788A47 5 Bytes JMP 00060031
.text c:\windows\system32\inetsrv\w3wp.exe[6020] msvcrt.dll!system 76788B63 5 Bytes JMP 0006000C
.text c:\windows\system32\inetsrv\w3wp.exe[6020] msvcrt.dll!_creat 7678C6F1 5 Bytes JMP 00060FB7
.text c:\windows\system32\inetsrv\w3wp.exe[6020] msvcrt.dll!_open 7678DA7E 5 Bytes JMP 00060FEF
.text c:\windows\system32\inetsrv\w3wp.exe[6020] msvcrt.dll!_wcreat 7678DC9E 5 Bytes JMP 00060F9C
.text c:\windows\system32\inetsrv\w3wp.exe[6020] msvcrt.dll!_wopen 7678DE79 5 Bytes JMP 00060FD2
.text c:\windows\system32\inetsrv\w3wp.exe[6020] WS2_32.dll!socket 766836D1 5 Bytes JMP 0007000A

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x58 0x34 0x07 0x16 ...

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 26 August 2012 - 01:43 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 27 August 2012 - 08:53 AM

Hi, Gringo. Got your message and I'm getting started on recommended diagnostics. Just want
to let you know I'm on it and will post results ASAP.

Thanks!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 27 August 2012 - 01:01 PM

no problem and see you later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 27 August 2012 - 02:58 PM

OK. Security Check ran without incident; here is its log:

Results of screen317's Security Check version 0.99.46
Windows Vista Service Pack 1 x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
Spyware Doctor 8.0
Spybot - Search & Destroy
Secunia PSI (3.0.0.2004)
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
Java Web Start
Java™ 6 Update 4
Java 2 Runtime Environment, SE v1.4.1_02
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader X 10.0.1 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````



Before running ComboFix, successfully turned off McAfee (at least was able to shut down process
in Task Manager; McAfee Internet Security's window came up blank when I tried to open it. Was not
able to kill process for MalwareBytes.

ComboFix appeared to run normally, restarted the PC once. Here is that log:

ComboFix 12-08-25.04 - Kate 08/27/2012 15:11:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1212 [GMT -4:00]
Running from: c:\users\Kate\Desktop\ComboFix.exe
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\CouponAlert_2pEI
c:\programdata\1076900494
c:\programdata\274752222
c:\programdata\SysWoW32
c:\programdata\SysWoW32\_u1245329540v0
c:\programdata\SysWoW32\_u1245329540v1
c:\programdata\SysWoW32\_u1245329540v2
c:\programdata\SysWoW32\_u1245329540v3
c:\programdata\SysWoW32\mu1245329540v4
c:\programdata\SysWoW32\mu1245329540v4.kwd
c:\programdata\SysWoW32\mu1245329540v5
c:\programdata\SysWoW32\mu1245329540v5.kwd
c:\programdata\SysWoW32\mu1245329540v6
c:\programdata\SysWoW32\mu1245329540v6.kwd
c:\programdata\SysWoW32\mu1245329540v7
c:\programdata\SysWoW32\mu1245329540v7.kwd
c:\programdata\SysWoW32\wu1245329540v0
c:\programdata\SysWoW32\wu1245329540v0.kwd
c:\programdata\SysWoW32\wu1245329540v1
c:\programdata\SysWoW32\wu1245329540v1.kwd
c:\programdata\SysWoW32\wu1245329540v2
c:\programdata\SysWoW32\wu1245329540v2.kwd
c:\programdata\SysWoW32\wu1245329540v3
c:\programdata\SysWoW32\wu1245329540v3.kwd
C:\Thumbs.db
c:\users\Kate\AppData\Roaming\.#
c:\users\Kate\AppData\Roaming\40e065d9
c:\users\Kate\AppData\Roaming\Microsoft\Windows\Start Menu\Internet Explorer.lnk
c:\users\Kate\g2ax_customer_downloadhelper_win32_x86.exe
c:\users\Kate\g2mdlhlpx.exe
c:\users\Public\AlexaNSISPlugin.6664.dll
c:\windows\Installer\{ecbd6c52-66a8-9dca-4c9a-7400be1f862b}\@
c:\windows\Installer\{ecbd6c52-66a8-9dca-4c9a-7400be1f862b}\U\00000001.@
c:\windows\Installer\{ecbd6c52-66a8-9dca-4c9a-7400be1f862b}\U\80000000.@
c:\windows\jestertb.dll
c:\windows\offitems.log
c:\windows\system\msvbvm60.dll
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-07-27 to 2012-08-27 )))))))))))))))))))))))))))))))
.
.
2012-08-27 19:26 . 2012-08-27 19:26 -------- d-----w- c:\users\Publisher\AppData\Local\temp
2012-08-27 19:26 . 2012-08-27 19:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-26 23:52 . 2012-08-26 23:52 -------- d-----w- C:\Sam
2012-08-20 20:30 . 2012-08-20 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-20 20:30 . 2012-08-20 20:30 -------- d-----w- c:\programdata\Malwarebytes
2012-08-20 20:30 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-20 20:07 . 2012-08-20 20:07 -------- d-----w- C:\kleaner.tmp
2012-08-09 17:17 . 2012-04-20 20:40 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2012-07-30 17:21 . 2012-07-30 17:21 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-07-30 17:20 . 2012-07-30 17:20 -------- d-----w- c:\program files\Common Files\xing shared
2012-07-30 17:20 . 2012-07-30 17:20 150736 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-07-30 17:20 . 2012-07-30 17:20 129176 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-07-30 17:17 . 2012-07-30 17:17 -------- d-----w- c:\program files\Amazon Browser Bar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-14 23:34 . 2012-04-30 20:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 23:34 . 2011-06-02 19:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-30 17:19 . 2003-03-18 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-29 08:44 . 2012-07-17 06:09 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C543FA18-136A-4FD9-8912-2207C13D52F5}\mpengine.dll
2012-06-22 11:58 . 2010-05-08 10:21 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-22 11:55 . 2010-05-08 10:21 206784 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-06-22 11:53 . 2010-05-08 10:21 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-22 11:53 . 2010-05-08 10:21 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-22 11:52 . 2010-05-08 10:21 554048 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-06-22 11:51 . 2010-05-08 10:21 360792 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-22 11:51 . 2010-05-08 10:21 61912 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-22 11:50 . 2010-05-08 10:21 230224 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-22 11:50 . 2010-05-08 10:21 127992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-05-31 16:25 . 2011-02-17 21:35 237072 ------w- c:\windows\system32\MpSigStub.exe
2008-10-28 17:52 . 2008-10-28 17:52 7390 ----a-w- c:\program files\xpress.reg
2008-10-28 17:52 . 2008-10-28 17:52 4859904 ----a-w- c:\program files\QuarkXPress.exe
2012-07-27 18:32 . 2012-03-11 22:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F443A627-5009-4323-9C1D-7FD598D0D712}]
2012-05-10 00:05 1607472 ----a-w- c:\program files\Amazon Browser Bar\AmazonBrowserBar.3.0.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-09-24 222496]
"Akamai NetSession Interface"="c:\users\Kate\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-07-24 450560]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-06-22 1271968]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
"QuickBooksDB18"="c:\quickbooks 2008\QBDBMgrN.exe" [2006-09-13 128536]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-03-20 611712]
"ISTray"="c:\program files\Spy Doctor PC Tools Security\pctsGui.exe" [2010-12-01 1589208]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-07-30 296096]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-11-9 5969752]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-9 1156968]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2011-11-9 1178984]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-6-27 572000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"LocalAccountTokenFilterPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk
backup=c:\windows\pss\Event Planner Reminder.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Kate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Legalsounds Download Manager.lnk]
path=c:\users\Kate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Legalsounds Download Manager.lnk
backup=c:\windows\pss\Legalsounds Download Manager.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Kate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^TimeLeft.lnk]
backup=c:\windows\pss\TimeLeft.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 08:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FontExpertType1Loader]
2011-10-31 16:52 294776 ----a-w- c:\fontexpert\Type1Loader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-18 03:41 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Memeo AutoSync"=c:\program files\Memeo\AutoSync\MemeoLauncher2.exe --silent
"WD Anywhere Backup"=c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent
"Memeo Backup Premium"=c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe"
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
"ISTray"="c:\spyware doctor\pctsTray.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"QuickBooksDB18"=c:\quickbooks 2008\QBDBMgrN.exe -n QB_KATE-PC_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe c:\users\Kate\AppData\Local\Intuit\QUICKB~1\Log\DBSTAR~1.LOG -y
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"NvSvc"=RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 0042391345679304mcinstcleanup;McAfee Application Installer Cleanup (0042391345679304);c:\windows\TEMP\0042391345679304mcinst.exe [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 23:34]
.
2012-03-10 c:\windows\Tasks\GlaryInitialize.job
- c:\glary utilities pro\Glary Utilities\initialize.exe [2010-01-14 15:08]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 05:26]
.
2012-08-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 05:26]
.
2012-08-27 c:\windows\Tasks\User_Feed_Synchronization-{28FCB36E-94DD-4004-B5EB-B8FB14D69476}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Software
IE: Software\PepiMK Software
IE: Software\PepiMK Software\SpybotSnD
Trusted Zone: ebay.com
Trusted Zone: listen.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab
DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
FF - ProfilePath - c:\users\Kate\AppData\Roaming\Mozilla\Firefox\Profiles\uimbrxzi.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-AROReminder - c:\program files\ARO 2011\ARO.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-tstco - (no file)
MSConfigStartUp-Coupon Alert Search Scope Monitor - c:\progra~1\CouponAlert_2p\bar\1.bin\2psrchmn.exe
MSConfigStartUp-CouponAlert_2p Browser Plugin Loader - c:\progra~1\CouponAlert_2p\bar\1.bin\2pbrmon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-27 15:37
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(908)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'Explorer.exe'(664)
c:\program files\RhinoSoft.com\FTP Voyager\ftpshext.dll
c:\program files\WinSCP\DragExt.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WTouch\WTouchService.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
c:\program files\Common Files\Nuance\dgnsvc.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Firebird\bin\fbguard.exe
c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\program files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe
c:\program files\Secunia\PSI\PSIA.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\Pen_Tablet.exe
c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
c:\manageengine\ServiceDesk\jre\bin\java.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Firebird\bin\fbserver.exe
c:\program files\Secunia\PSI\sua.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\program files\WTouch\WTouchUser.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\Pen_Tablet.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2012-08-27 15:46:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-27 19:46
.
Pre-Run: 81,008,410,624 bytes free
Post-Run: 81,329,360,896 bytes free
.
- - End Of File - - F16E33E63780BE591F2C36ED6A84F480


Current symptoms, since running diagnostics:
* Firewalls turned off. Could not turn on McAfee firewall; turned on Windows firewall, but it does not
start when PC is booted.
* Anti-virus disabled: Can't start McAfee Internet Security manually; Windows Security Center says it can't
find McAfee applications. Windows reports the Win Defender is out of date; when I try to update, I get a
"can't update" error.

Other issues: system resources are being drained in ways that don't show up in Task Manager. Normally this
PC can run demanding programs like Adobe Photoshop and InDesign (CS4) at the same time as QuickBooks, Word,
and multiple browsers. Now it's necessary to shut down QuickBooks and Word to be able to use any programs in
the Adobe suite.

Thanks; let me know if I can answer any more specific questions.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 27 August 2012 - 03:19 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 27 August 2012 - 04:53 PM

After my last message I restarted PC again. Windows firewall stayed in place on restart, flagged a couple of
things it found suspicious, one of which had the name "Akamai."

I ran TDSSKiller, which found only one "Suspicious" item, the self-same "Akamai." Selected "skip" and "continue."

TDSSKiller log follows:

17:49:34.0344 0312 TDSS rootkit removing tool 2.8.7.0 Aug 20 2012 17:30:03
17:49:36.0346 0312 ============================================================
17:49:36.0346 0312 Current date / time: 2012/08/27 17:49:36.0346
17:49:36.0346 0312 SystemInfo:
17:49:36.0347 0312
17:49:36.0347 0312 OS Version: 6.0.6001 ServicePack: 1.0
17:49:36.0347 0312 Product type: Workstation
17:49:36.0347 0312 ComputerName: KATE-PC
17:49:36.0347 0312 UserName: Kate
17:49:36.0347 0312 Windows directory: C:\Windows
17:49:36.0347 0312 System windows directory: C:\Windows
17:49:36.0347 0312 Processor architecture: Intel x86
17:49:36.0347 0312 Number of processors: 2
17:49:36.0347 0312 Page size: 0x1000
17:49:36.0347 0312 Boot type: Normal boot
17:49:36.0347 0312 ============================================================
17:49:36.0719 0312 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
17:49:36.0722 0312 Drive \Device\Harddisk1\DR1 - Size: 0x1DDBF8000 (7.46 Gb), SectorSize: 0x200, Cylinders: 0x3CE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:49:36.0786 0312 ============================================================
17:49:36.0786 0312 \Device\Harddisk0\DR0:
17:49:36.0786 0312 MBR partitions:
17:49:36.0786 0312 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x15E4B16
17:49:36.0786 0312 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x15E4B55, BlocksNum 0x23E4975B
17:49:36.0786 0312 \Device\Harddisk1\DR1:
17:49:36.0787 0312 MBR partitions:
17:49:36.0787 0312 \Device\Harddisk1\DR1\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xEEDD21
17:49:36.0787 0312 ============================================================
17:49:36.0819 0312 C: <-> \Device\Harddisk0\DR0\Partition2
17:49:36.0839 0312 D: <-> \Device\Harddisk0\DR0\Partition1
17:49:36.0839 0312 ============================================================
17:49:36.0839 0312 Initialize success
17:49:36.0839 0312 ============================================================
17:49:40.0544 5004 ============================================================
17:49:40.0544 5004 Scan started
17:49:40.0544 5004 Mode: Manual;
17:49:40.0544 5004 ============================================================
17:49:40.0808 5004 ================ Scan system memory ========================
17:49:40.0808 5004 System memory - ok
17:49:40.0809 5004 ================ Scan services =============================
17:49:40.0897 5004 0042391345679304mcinstcleanup - ok
17:49:40.0980 5004 [ FCB8C7210F0135E24C6580F7F649C73C ] ACPI C:\Windows\system32\drivers\acpi.sys
17:49:40.0985 5004 ACPI - ok
17:49:41.0044 5004 [ 73685E15EF8B0BD9C30F1AF413F13D49 ] adfs C:\Windows\system32\drivers\adfs.sys
17:49:41.0047 5004 adfs - ok
17:49:41.0141 5004 [ 57A3B9A69F14414ACE12AFD6BA701773 ] Adobe Version Cue CS4 C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
17:49:41.0151 5004 Adobe Version Cue CS4 - ok
17:49:41.0230 5004 [ 3FD8DC2C9735C2AA70155102CFB93EDA ] AdobeActiveFileMonitor7.0 C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
17:49:41.0235 5004 AdobeActiveFileMonitor7.0 - ok
17:49:41.0317 5004 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:49:41.0322 5004 AdobeFlashPlayerUpdateSvc - ok
17:49:41.0352 5004 [ 04F0FCAC69C7C71A3AC4EB97FAFC8303 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
17:49:41.0361 5004 adp94xx - ok
17:49:41.0383 5004 [ 60505E0041F7751BDBB80F88BF45C2CE ] adpahci C:\Windows\system32\drivers\adpahci.sys
17:49:41.0399 5004 adpahci - ok
17:49:41.0427 5004 [ 8A42779B02AEC986EAB64ECFC98F8BD7 ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
17:49:41.0430 5004 adpu160m - ok
17:49:41.0456 5004 [ 241C9E37F8CE45EF51C3DE27515CA4E5 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
17:49:41.0460 5004 adpu320 - ok
17:49:41.0491 5004 [ 9D1FDA9E086BA64E3C93C9DE32461BCF ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
17:49:41.0493 5004 AeLookupSvc - ok
17:49:41.0515 5004 [ 763E172A55177E478CB419F88FD0BA03 ] AFD C:\Windows\system32\drivers\afd.sys
17:49:41.0521 5004 AFD - ok
17:49:41.0549 5004 [ 13F9E33747E6B41A3FF305C37DB0D360 ] agp440 C:\Windows\system32\drivers\agp440.sys
17:49:41.0551 5004 agp440 - ok
17:49:41.0572 5004 [ AE1FDF7BF7BB6C6A70F67699D880592A ] aic78xx C:\Windows\system32\drivers\djsvs.sys
17:49:41.0575 5004 aic78xx - ok
17:49:41.0718 5004 [ 29584F02A43E427C4227E3B1D9FF1B22 ] Akamai c:\program files\common files\akamai/netsession_win_4f7fccd.dll
17:49:41.0718 5004 Suspicious file (Hidden): c:\program files\common files\akamai/netsession_win_4f7fccd.dll. md5: 29584F02A43E427C4227E3B1D9FF1B22
17:49:41.0733 5004 Akamai ( HiddenFile.Multi.Generic ) - warning
17:49:41.0733 5004 Akamai - detected HiddenFile.Multi.Generic (1)
17:49:41.0759 5004 [ A1545B731579895D8CC44FC0481C1192 ] ALG C:\Windows\System32\alg.exe
17:49:41.0762 5004 ALG - ok
17:49:41.0788 5004 [ 9EAEF5FC9B8E351AFA7E78A6FAE91F91 ] aliide C:\Windows\system32\drivers\aliide.sys
17:49:41.0790 5004 aliide - ok
17:49:41.0852 5004 [ FF6F0F6A2D72065AE4300426FA414693 ] Amazon Download Agent C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
17:49:41.0856 5004 Amazon Download Agent - ok
17:49:41.0880 5004 [ C47344BC706E5F0B9DCE369516661578 ] amdagp C:\Windows\system32\drivers\amdagp.sys
17:49:41.0883 5004 amdagp - ok
17:49:41.0902 5004 [ 9B78A39A4C173FDBC1321E0DD659B34C ] amdide C:\Windows\system32\drivers\amdide.sys
17:49:41.0911 5004 amdide - ok
17:49:41.0928 5004 [ 18F29B49AD23ECEE3D2A826C725C8D48 ] AmdK7 C:\Windows\system32\drivers\amdk7.sys
17:49:41.0944 5004 AmdK7 - ok
17:49:41.0959 5004 [ 93AE7F7DD54AB986A6F1A1B37BE7442D ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
17:49:41.0961 5004 AmdK8 - ok
17:49:42.0018 5004 [ 46DF729D906D8C0C1F68D85370528523 ] AppHostSvc C:\Windows\system32\inetsrv\apphostsvc.dll
17:49:42.0020 5004 AppHostSvc - ok
17:49:42.0063 5004 [ C6D704C7F0434DC791AAC37CAC4B6E14 ] Appinfo C:\Windows\System32\appinfo.dll
17:49:42.0065 5004 Appinfo - ok
17:49:42.0104 5004 [ 5D2888182FB46632511ACEE92FDAD522 ] arc C:\Windows\system32\drivers\arc.sys
17:49:42.0107 5004 arc - ok
17:49:42.0132 5004 [ 5E2A321BD7C8B3624E41FDEC3E244945 ] arcsas C:\Windows\system32\drivers\arcsas.sys
17:49:42.0134 5004 arcsas - ok
17:49:42.0200 5004 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
17:49:42.0203 5004 aspnet_state - ok
17:49:42.0227 5004 [ 53B202ABEE6455406254444303E87BE1 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
17:49:42.0228 5004 AsyncMac - ok
17:49:42.0243 5004 [ 2D9C903DC76A66813D350A562DE40ED9 ] atapi C:\Windows\system32\drivers\atapi.sys
17:49:42.0245 5004 atapi - ok
17:49:42.0279 5004 [ 42076E29AAFA0830A2C5D4E310F58DD1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
17:49:42.0294 5004 AudioEndpointBuilder - ok
17:49:42.0304 5004 [ 42076E29AAFA0830A2C5D4E310F58DD1 ] Audiosrv C:\Windows\System32\Audiosrv.dll
17:49:42.0308 5004 Audiosrv - ok
17:49:42.0341 5004 [ 67E506B75BD5326A3EC7B70BD014DFB6 ] Beep C:\Windows\system32\drivers\Beep.sys
17:49:42.0342 5004 Beep - ok
17:49:42.0362 5004 [ 8582E233C346AEFE759833E8A30DD697 ] BFE C:\Windows\System32\bfe.dll
17:49:42.0368 5004 BFE - ok
17:49:42.0399 5004 [ D4DF28447741FD3D953526E33A617397 ] blbdrive C:\Windows\system32\drivers\blbdrive.sys
17:49:42.0400 5004 blbdrive - ok
17:49:42.0423 5004 [ 74B442B2BE1260B7588C136177CEAC66 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
17:49:42.0424 5004 bowser - ok
17:49:42.0466 5004 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
17:49:42.0473 5004 BrFiltLo - ok
17:49:42.0493 5004 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
17:49:42.0494 5004 BrFiltUp - ok
17:49:42.0521 5004 [ A3629A0C4226F9E9C72FAAEEBC3AD33C ] Browser C:\Windows\System32\browser.dll
17:49:42.0523 5004 Browser - ok
17:49:42.0542 5004 [ B304E75CFF293029EDDF094246747113 ] Brserid C:\Windows\system32\drivers\brserid.sys
17:49:42.0544 5004 Brserid - ok
17:49:42.0559 5004 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
17:49:42.0561 5004 BrSerWdm - ok
17:49:42.0572 5004 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
17:49:42.0573 5004 BrUsbMdm - ok
17:49:42.0588 5004 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
17:49:42.0590 5004 BrUsbSer - ok
17:49:42.0606 5004 [ AD07C1EC6665B8B35741AB91200C6B68 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
17:49:42.0608 5004 BTHMODEM - ok
17:49:42.0616 5004 catchme - ok
17:49:42.0644 5004 [ 7ADD03E75BEB9E6DD102C3081D29840A ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
17:49:42.0646 5004 cdfs - ok
17:49:42.0656 5004 [ 1EC25CEA0DE6AC4718BF89F9E1778B57 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
17:49:42.0658 5004 cdrom - ok
17:49:42.0696 5004 [ 87C2D0377B23E2D8A41093C2F5FB1A5B ] CertPropSvc C:\Windows\System32\certprop.dll
17:49:42.0698 5004 CertPropSvc - ok
17:49:42.0725 5004 [ 958C33D0715D1496684D2E5E329748E8 ] cfwids C:\Windows\system32\drivers\cfwids.sys
17:49:42.0726 5004 cfwids - ok
17:49:42.0738 5004 [ E5D4133F37219DBCFE102BC61072589D ] circlass C:\Windows\system32\drivers\circlass.sys
17:49:42.0740 5004 circlass - ok
17:49:42.0760 5004 [ 465745561C832B29F7C48B488AAB3842 ] CLFS C:\Windows\system32\CLFS.sys
17:49:42.0764 5004 CLFS - ok
17:49:42.0787 5004 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:49:42.0789 5004 clr_optimization_v2.0.50727_32 - ok
17:49:42.0813 5004 [ 99AFC3795B58CC478FBBBCDC658FCB56 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
17:49:42.0815 5004 CmBatt - ok
17:49:42.0821 5004 [ 0CA25E686A4928484E9FDABD168AB629 ] cmdide C:\Windows\system32\drivers\cmdide.sys
17:49:42.0823 5004 cmdide - ok
17:49:42.0837 5004 [ 6AFEF0B60FA25DE07C0968983EE4F60A ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
17:49:42.0839 5004 Compbatt - ok
17:49:42.0847 5004 COMSysApp - ok
17:49:42.0856 5004 [ 741E9DFF4F42D2D8477D0FC1DC0DF871 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
17:49:42.0860 5004 crcdisk - ok
17:49:42.0890 5004 [ 1F07BECDCA750766A96CDA811BA86410 ] Crusoe C:\Windows\system32\drivers\crusoe.sys
17:49:42.0891 5004 Crusoe - ok
17:49:42.0956 5004 [ 6DE363F9F99334514C46AEC02D3E3678 ] CryptSvc C:\Windows\system32\cryptsvc.dll
17:49:42.0958 5004 CryptSvc - ok
17:49:43.0007 5004 [ 301AE00E12408650BADDC04DBC832830 ] DcomLaunch C:\Windows\system32\rpcss.dll
17:49:43.0012 5004 DcomLaunch - ok
17:49:43.0066 5004 [ 9E635AE5E8AD93E2B5989E2E23679F97 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
17:49:43.0068 5004 DfsC - ok
17:49:43.0154 5004 [ FA3463F25F9CC9C3BCF1E7912FEFF099 ] DFSR C:\Windows\system32\DFSR.exe
17:49:43.0186 5004 DFSR - ok
17:49:43.0211 5004 [ 43A988A9C10333476CB5FB667CBD629D ] Dhcp C:\Windows\System32\dhcpcsvc.dll
17:49:43.0214 5004 Dhcp - ok
17:49:43.0226 5004 [ 64109E623ABD6955C8FB110B592E68B7 ] disk C:\Windows\system32\drivers\disk.sys
17:49:43.0228 5004 disk - ok
17:49:43.0252 5004 [ F5A0F1DA1ED8B429597E71D27D976E31 ] Dnscache C:\Windows\System32\dnsrslvr.dll
17:49:43.0255 5004 Dnscache - ok
17:49:43.0273 5004 [ 5AF620A08C614E24206B79E8153CF1A8 ] dot3svc C:\Windows\System32\dot3svc.dll
17:49:43.0276 5004 dot3svc - ok
17:49:43.0288 5004 [ A622E888F8AA2F6B49E9BC466F0E5DEF ] DPS C:\Windows\system32\dps.dll
17:49:43.0292 5004 DPS - ok
17:49:43.0354 5004 [ 0B9D2B8D0C3955EF851A98155C349B59 ] DragonSvc C:\Program Files\Common Files\Nuance\dgnsvc.exe
17:49:43.0357 5004 DragonSvc - ok
17:49:43.0392 5004 [ 97FEF831AB90BEE128C9AF390E243F80 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
17:49:43.0394 5004 drmkaud - ok
17:49:43.0426 5004 [ 85F33880B8CFB554BD3D9CCDB486845A ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
17:49:43.0443 5004 DXGKrnl - ok
17:49:43.0484 5004 [ 5425F74AC0C1DBD96A1E04F17D63F94C ] E1G60 C:\Windows\system32\DRIVERS\E1G60I32.sys
17:49:43.0488 5004 E1G60 - ok
17:49:43.0512 5004 [ C0B95E40D85CD807D614E264248A45B9 ] EapHost C:\Windows\System32\eapsvc.dll
17:49:43.0515 5004 EapHost - ok
17:49:43.0546 5004 [ DD2CD259D83D8B72C02C5F2331FF9D68 ] Ecache C:\Windows\system32\drivers\ecache.sys
17:49:43.0549 5004 Ecache - ok
17:49:43.0592 5004 [ 9BE3744D295A7701EB425332014F0797 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
17:49:43.0597 5004 ehRecvr - ok
17:49:43.0646 5004 [ AD1870C8E5D6DD340C829E6074BF3C3F ] ehSched C:\Windows\ehome\ehsched.exe
17:49:43.0649 5004 ehSched - ok
17:49:43.0662 5004 [ C27C4EE8926E74AA72EFCAB24C5242C3 ] ehstart C:\Windows\ehome\ehstart.dll
17:49:43.0663 5004 ehstart - ok
17:49:43.0688 5004 [ 23B62471681A124889978F6295B3F4C6 ] elxstor C:\Windows\system32\drivers\elxstor.sys
17:49:43.0696 5004 elxstor - ok
17:49:43.0733 5004 [ 70B1A86DF0C8EAD17D2BC332EDAE2C7C ] EMDMgmt C:\Windows\system32\emdmgmt.dll
17:49:43.0750 5004 EMDMgmt - ok
17:49:43.0829 5004 [ EC6A73CD8413F68655E5E0B99C415A21 ] EPSON_EB_RPCV4_01 C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
17:49:43.0832 5004 EPSON_EB_RPCV4_01 - ok
17:49:43.0844 5004 [ 8FE6AB59CAB8F2C038FEA9522A5EEBA7 ] EPSON_PM_RPCV4_01 C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
17:49:43.0847 5004 EPSON_PM_RPCV4_01 - ok
17:49:43.0873 5004 [ 3DB974F3935483555D7148663F726C61 ] ErrDev C:\Windows\system32\drivers\errdev.sys
17:49:43.0875 5004 ErrDev - ok
17:49:43.0918 5004 [ 3CB3343D720168B575133A0A20DC2465 ] EventSystem C:\Windows\system32\es.dll
17:49:43.0922 5004 EventSystem - ok
17:49:43.0951 5004 [ 0D858EB20589A34EFB25695ACAA6AA2D ] exfat C:\Windows\system32\drivers\exfat.sys
17:49:43.0955 5004 exfat - ok
17:49:43.0973 5004 [ 3C489390C2E2064563727752AF8EAB9E ] fastfat C:\Windows\system32\drivers\fastfat.sys
17:49:43.0976 5004 fastfat - ok
17:49:43.0996 5004 [ AFE1E8B9782A0DD7FB46BBD88E43F89A ] fdc C:\Windows\system32\DRIVERS\fdc.sys
17:49:43.0997 5004 fdc - ok
17:49:44.0024 5004 [ 6629B5F0E98151F4AFDD87567EA32BA3 ] fdPHost C:\Windows\system32\fdPHost.dll
17:49:44.0026 5004 fdPHost - ok
17:49:44.0036 5004 [ 89ED56DCE8E47AF40892778A5BD31FD2 ] FDResPub C:\Windows\system32\fdrespub.dll
17:49:44.0039 5004 FDResPub - ok
17:49:44.0055 5004 [ A8C0139A884861E3AAE9CFE73B208A9F ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
17:49:44.0057 5004 FileInfo - ok
17:49:44.0073 5004 [ 0AE429A696AECBC5970E3CF2C62635AE ] Filetrace C:\Windows\system32\drivers\filetrace.sys
17:49:44.0075 5004 Filetrace - ok
17:49:44.0118 5004 [ B84D31AC5AE8372CE60204920E8F98E2 ] FirebirdGuardianDefaultInstance C:\Program Files\Firebird\bin\fbguard.exe
17:49:44.0120 5004 FirebirdGuardianDefaultInstance - ok
17:49:44.0193 5004 [ E83398B97959086265B7FEE2BFAF1343 ] FirebirdServerDefaultInstance C:\Program Files\Firebird\bin\fbserver.exe
17:49:44.0253 5004 FirebirdServerDefaultInstance - ok
17:49:44.0310 5004 [ 1F63900E2EB00101B9ACA2B7A870704E ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
17:49:44.0327 5004 FLEXnet Licensing Service - ok
17:49:44.0346 5004 [ 85B7CF99D532820495D68D747FDA9EBD ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
17:49:44.0348 5004 flpydisk - ok
17:49:44.0395 5004 [ 05EA53AFE985443011E36DAB07343B46 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
17:49:44.0399 5004 FltMgr - ok
17:49:44.0450 5004 [ C9BE08664611DDAF98E2331E9288B00B ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
17:49:44.0452 5004 FontCache3.0.0.0 - ok
17:49:44.0484 5004 [ 65EA8B77B5851854F0C55C43FA51A198 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
17:49:44.0485 5004 Fs_Rec - ok
17:49:44.0498 5004 [ 34582A6E6573D54A07ECE5FE24A126B5 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
17:49:44.0501 5004 gagp30kx - ok
17:49:44.0546 5004 [ 0879DC7444A201DF84E69C5DD5083D61 ] getPlusHelper C:\Program Files\NOS\bin\getPlus_Helper.dll
17:49:44.0548 5004 getPlusHelper - ok
17:49:44.0588 5004 [ D9F1113D9401185245573350712F92FC ] gpsvc C:\Windows\System32\gpsvc.dll
17:49:44.0604 5004 gpsvc - ok
17:49:44.0715 5004 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
17:49:44.0717 5004 gupdate - ok
17:49:44.0749 5004 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
17:49:44.0752 5004 gupdatem - ok
17:49:44.0814 5004 [ 1BF044E23206FDDC16891A32922D571B ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
17:49:44.0823 5004 gusvc - ok
17:49:44.0859 5004 [ CB04C744BE0A61B1D648FAED182C3B59 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
17:49:44.0864 5004 HdAudAddService - ok
17:49:44.0887 5004 [ C87B1EE051C0464491C1A7B03FA0BC99 ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
17:49:44.0889 5004 HDAudBus - ok
17:49:44.0905 5004 [ 1338520E78D90154ED6BE8F84DE5FCEB ] HidBth C:\Windows\system32\drivers\hidbth.sys
17:49:44.0907 5004 HidBth - ok
17:49:44.0921 5004 [ FF3160C3A2445128C5A6D9B076DA519E ] HidIr C:\Windows\system32\drivers\hidir.sys
17:49:44.0923 5004 HidIr - ok
17:49:44.0949 5004 [ 8FA640195279ACE21BEA91396A0054FC ] hidserv C:\Windows\System32\hidserv.dll
17:49:44.0951 5004 hidserv - ok
17:49:44.0980 5004 [ 854CA287AB7FAF949617A788306D967E ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
17:49:44.0981 5004 HidUsb - ok
17:49:45.0021 5004 [ D61E53E3FEC0C92BC8DD3969FAD63F87 ] HipShieldK C:\Windows\system32\drivers\HipShieldK.sys
17:49:45.0025 5004 HipShieldK - ok
17:49:45.0041 5004 [ D8AD255B37DA92434C26E4876DB7D418 ] hkmsvc C:\Windows\system32\kmsvc.dll
17:49:45.0045 5004 hkmsvc - ok
17:49:45.0064 5004 [ 16EE7B23A009E00D835CDB79574A91A6 ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
17:49:45.0066 5004 HpCISSs - ok
17:49:45.0109 5004 [ 9EFA5FEC26CEC696A66A891AC90B412D ] HSF_DPV C:\Windows\system32\DRIVERS\HSX_DPV.sys
17:49:45.0130 5004 HSF_DPV - ok
17:49:45.0152 5004 [ A3077D9ED7FF612A033536A6009DBEA5 ] HSXHWBS2 C:\Windows\system32\DRIVERS\HSXHWBS2.sys
17:49:45.0159 5004 HSXHWBS2 - ok
17:49:45.0187 5004 [ 52395A94C127C0266D1C0F3CCE8A4345 ] htcnprot C:\Windows\system32\DRIVERS\htcnprot.sys
17:49:45.0189 5004 htcnprot - ok
17:49:45.0246 5004 [ 96E241624C71211A79C84F50A8E71CAB ] HTTP C:\Windows\system32\drivers\HTTP.sys
17:49:45.0263 5004 HTTP - ok
17:49:45.0283 5004 [ C6B032D69650985468160FC9937CF5B4 ] i2omp C:\Windows\system32\drivers\i2omp.sys
17:49:45.0285 5004 i2omp - ok
17:49:45.0317 5004 [ 22D56C8184586B7A1F6FA60BE5F5A2BD ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
17:49:45.0320 5004 i8042prt - ok
17:49:45.0368 5004 [ 8318E04A6455CED1020BCC5039B62CFA ] ialm C:\Windows\system32\DRIVERS\ialmnt5.sys
17:49:45.0408 5004 ialm - ok
17:49:45.0438 5004 [ 54155EA1B0DF185878E0FC9EC3AC3A14 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
17:49:45.0443 5004 iaStorV - ok
17:49:45.0492 5004 [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
17:49:45.0495 5004 IDriverT - ok
17:49:45.0545 5004 [ 7B630ACAED64FEF0C3E1CF255CB56686 ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:49:45.0562 5004 idsvc - ok
17:49:45.0592 5004 [ 2D077BF86E843F901D8DB709C95B49A5 ] iirsp C:\Windows\system32\drivers\iirsp.sys
17:49:45.0594 5004 iirsp - ok
17:49:45.0631 5004 [ A3BC480A2BF8AA8E4DABD2D5DCE0AFAC ] IKEEXT C:\Windows\System32\ikeext.dll
17:49:45.0649 5004 IKEEXT - ok
17:49:45.0724 5004 [ 4E38A2883DF3BA382A59132B3E7D709E ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHDA.sys
17:49:45.0765 5004 IntcAzAudAddService - ok
17:49:45.0800 5004 [ 83AA759F3189E6370C30DE5DC5590718 ] intelide C:\Windows\system32\drivers\intelide.sys
17:49:45.0802 5004 intelide - ok
17:49:45.0824 5004 [ 224191001E78C89DFA78924C3EA595FF ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
17:49:45.0827 5004 intelppm - ok
17:49:45.0856 5004 [ 9AC218C6E6105477484C6FDBE7D409A4 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
17:49:45.0859 5004 IPBusEnum - ok
17:49:45.0878 5004 [ 62C265C38769B864CB25B4BCF62DF6C3 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:49:45.0880 5004 IpFilterDriver - ok
17:49:45.0912 5004 [ CAD416B8A4309B5E1CE75425381E7D2F ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
17:49:45.0918 5004 iphlpsvc - ok
17:49:45.0925 5004 IpInIp - ok
17:49:45.0947 5004 [ B25AAF203552B7B3491139D582B39AD1 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
17:49:45.0949 5004 IPMIDRV - ok
17:49:45.0962 5004 [ 8793643A67B42CEC66490B2A0CF92D68 ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
17:49:45.0966 5004 IPNAT - ok
17:49:45.0984 5004 [ 109C0DFB82C3632FBD11949B73AEEAC9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
17:49:45.0986 5004 IRENUM - ok
17:49:46.0005 5004 [ 6C70698A3E5C4376C6AB5C7C17FB0614 ] isapnp C:\Windows\system32\drivers\isapnp.sys
17:49:46.0007 5004 isapnp - ok
17:49:46.0036 5004 [ F247EEC28317F6C739C16DE420097301 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
17:49:46.0040 5004 iScsiPrt - ok
17:49:46.0061 5004 [ BCED60D16156E428F8DF8CF27B0DF150 ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
17:49:46.0063 5004 iteatapi - ok
17:49:46.0075 5004 [ 06FA654504A498C30ADCA8BEC4E87E7E ] iteraid C:\Windows\system32\drivers\iteraid.sys
17:49:46.0077 5004 iteraid - ok
17:49:46.0096 5004 [ 37605E0A8CF00CBBA538E753E4344C6E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
17:49:46.0098 5004 kbdclass - ok
17:49:46.0116 5004 [ 18247836959BA67E3511B62846B9C2E0 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
17:49:46.0117 5004 kbdhid - ok
17:49:46.0162 5004 [ A911ECAC81F94ADEAFBE8E3F7873EDB0 ] KeyIso C:\Windows\system32\lsass.exe
17:49:46.0165 5004 KeyIso - ok
17:49:46.0185 5004 [ 7A0CF7908B6824D6A2A1D313E5AE3DCA ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
17:49:46.0203 5004 KSecDD - ok
17:49:46.0239 5004 [ 8078F8F8F7A79E2E6B494523A828C585 ] KtmRm C:\Windows\system32\msdtckrm.dll
17:49:46.0256 5004 KtmRm - ok
17:49:46.0293 5004 [ 05CE901A4472B3FBF9407C94AD1DB693 ] LanmanServer C:\Windows\System32\srvsvc.dll
17:49:46.0299 5004 LanmanServer - ok
17:49:46.0342 5004 [ 2AE2E1628C5D3F1C0A46A67C9FA1DF15 ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
17:49:46.0351 5004 LanmanWorkstation - ok
17:49:46.0402 5004 [ D1C5883087A0C3F1344D9D55A44901F6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
17:49:46.0405 5004 lltdio - ok
17:49:46.0446 5004 [ 2D5A428872F1442631D0959A34ABFF63 ] lltdsvc C:\Windows\System32\lltdsvc.dll
17:49:46.0451 5004 lltdsvc - ok
17:49:46.0484 5004 [ 35D40113E4A5B961B6CE5C5857702518 ] lmhosts C:\Windows\System32\lmhsvc.dll
17:49:46.0487 5004 lmhosts - ok
17:49:46.0547 5004 [ F622A3C0C10A26C1DC789CDEB0B2A4EB ] LMIGuardianSvc C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
17:49:46.0565 5004 LMIGuardianSvc - ok
17:49:46.0597 5004 [ 4F69FAAABB7DB0D43E327C0B6AAB40FC ] LMIInfo C:\Program Files\LogMeIn\x86\RaInfo.sys
17:49:46.0601 5004 LMIInfo - ok
17:49:46.0621 5004 [ CE9E8BF4E9194B29767CDA90F8BDC675 ] LMIMaint C:\Program Files\LogMeIn\x86\RaMaint.exe
17:49:46.0624 5004 LMIMaint - ok
17:49:46.0651 5004 [ 4477689E2D8AE6B78BA34C9AF4CC1ED1 ] lmimirr C:\Windows\system32\DRIVERS\lmimirr.sys
17:49:46.0653 5004 lmimirr - ok
17:49:46.0669 5004 LMIRfsClientNP - ok
17:49:46.0690 5004 [ 3FAA563DDF853320F90259D455A01D79 ] LMIRfsDriver C:\Windows\system32\drivers\LMIRfsDriver.sys
17:49:46.0692 5004 LMIRfsDriver - ok
17:49:46.0707 5004 [ 432618FA75B61059D2C57D6A7E55147A ] LogMeIn C:\Program Files\LogMeIn\x86\LogMeIn.exe
17:49:46.0715 5004 LogMeIn - ok
17:49:46.0742 5004 [ C7E15E82879BF3235B559563D4185365 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
17:49:46.0745 5004 LSI_FC - ok
17:49:46.0759 5004 [ EE01EBAE8C9BF0FA072E0FF68718920A ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
17:49:46.0762 5004 LSI_SAS - ok
17:49:46.0779 5004 [ 912A04696E9CA30146A62AFA1463DD5C ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
17:49:46.0782 5004 LSI_SCSI - ok
17:49:46.0797 5004 [ 8F5C7426567798E62A3B3614965D62CC ] luafv C:\Windows\system32\drivers\luafv.sys
17:49:46.0800 5004 luafv - ok
17:49:46.0825 5004 [ 6DFE7F2E8E8A337263AA5C92A215F161 ] MBAMProtector C:\Windows\system32\drivers\mbam.sys
17:49:46.0826 5004 MBAMProtector - ok
17:49:46.0870 5004 [ 43683E970F008C93C9429EF428147A54 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
17:49:46.0887 5004 MBAMService - ok
17:49:46.0968 5004 [ C226CE46CD17FCE6261A9DE406F01C8B ] McAfee SiteAdvisor Service C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
17:49:46.0970 5004 McAfee SiteAdvisor Service - ok
17:49:47.0043 5004 [ 7047A47C4476ED8865CACF811A709BA9 ] McMPFSvc C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
17:49:47.0048 5004 McMPFSvc - ok
17:49:47.0069 5004 [ 7047A47C4476ED8865CACF811A709BA9 ] mcmscsvc C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
17:49:47.0074 5004 mcmscsvc - ok
17:49:47.0107 5004 [ 7047A47C4476ED8865CACF811A709BA9 ] McNASvc C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
17:49:47.0112 5004 McNASvc - ok
17:49:47.0125 5004 [ 7047A47C4476ED8865CACF811A709BA9 ] McProxy C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
17:49:47.0127 5004 McProxy - ok
17:49:47.0178 5004 [ 6A78931E71218F38B2B4665D2BA79789 ] McShield C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
17:49:47.0183 5004 McShield - ok
17:49:47.0215 5004 [ AEF9BABB8A506BC4CE0451A64AADED46 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
17:49:47.0219 5004 Mcx2Svc - ok
17:49:47.0252 5004 [ 0CEA2D0D3FA284B85ED5B68365114F76 ] mdmxsdk C:\Windows\system32\DRIVERS\mdmxsdk.sys
17:49:47.0253 5004 mdmxsdk - ok
17:49:47.0285 5004 [ 0001CE609D66632FA17B84705F658879 ] megasas C:\Windows\system32\drivers\megasas.sys
17:49:47.0288 5004 megasas - ok
17:49:47.0310 5004 [ C252F32CD9A49DBFC25ECF26EBD51A99 ] MegaSR C:\Windows\system32\drivers\megasr.sys
17:49:47.0320 5004 MegaSR - ok
17:49:47.0385 5004 [ BE15B10EEE9B1B840D872F91C6D06333 ] MemeoBackgroundService C:\Program Files\Memeo\AutoBackupPro\MemeoBackgroundService.exe
17:49:47.0387 5004 MemeoBackgroundService - ok
17:49:47.0420 5004 [ 38995E33939DCA02BEED384C37A0BABB ] mfeapfk C:\Windows\system32\drivers\mfeapfk.sys
17:49:47.0423 5004 mfeapfk - ok
17:49:47.0458 5004 [ ACB64C134E0FA7124FE67A8CC5F02833 ] mfeavfk C:\Windows\system32\drivers\mfeavfk.sys
17:49:47.0463 5004 mfeavfk - ok
17:49:47.0492 5004 [ FB331E460DBAE41B7CBDD72E690D6DA3 ] mfebopk C:\Windows\system32\drivers\mfebopk.sys
17:49:47.0494 5004 mfebopk - ok
17:49:47.0524 5004 [ 8421EF9F71E0595BE68B5D913ED0FE78 ] mfefire C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
17:49:47.0527 5004 mfefire - ok
17:49:47.0561 5004 [ 53891A53ACF0D43088E899DDD7209ACC ] mfefirek C:\Windows\system32\drivers\mfefirek.sys
17:49:47.0578 5004 mfefirek - ok
17:49:47.0601 5004 [ 2F70286021B917F6D69C32C5DB8CD288 ] mfehidk C:\Windows\system32\drivers\mfehidk.sys
17:49:47.0622 5004 mfehidk - ok
17:49:47.0658 5004 [ 9171F3CA5DDD1D6A590B295F90E1E3BB ] mferkdet C:\Windows\system32\drivers\mferkdet.sys
17:49:47.0662 5004 mferkdet - ok
17:49:47.0682 5004 [ 958E4A10C7C2C80714882542934C6912 ] mfevtp C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
17:49:47.0684 5004 mfevtp - ok
17:49:47.0708 5004 [ 07A474725D2DC08759496F58164795CB ] mfewfpk C:\Windows\system32\drivers\mfewfpk.sys
17:49:47.0712 5004 mfewfpk - ok
17:49:47.0801 5004 [ 7C4C76B39D5525C4A465E0BE32528E19 ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
17:49:47.0804 5004 Microsoft Office Groove Audit Service - ok
17:49:47.0827 5004 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] MMCSS C:\Windows\system32\mmcss.dll
17:49:47.0830 5004 MMCSS - ok
17:49:47.0853 5004 [ E13B5EA0F51BA5B1512EC671393D09BA ] Modem C:\Windows\system32\drivers\modem.sys
17:49:47.0855 5004 Modem - ok
17:49:47.0876 5004 [ 0A9BB33B56E294F686ABB7C1E4E2D8A8 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
17:49:47.0878 5004 monitor - ok
17:49:47.0895 5004 [ 5BF6A1326A335C5298477754A506D263 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
17:49:47.0897 5004 mouclass - ok
17:49:47.0909 5004 [ 93B8D4869E12CFBE663915502900876F ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
17:49:47.0911 5004 mouhid - ok
17:49:47.0928 5004 [ BDAFC88AA6B92F7842416EA6A48E1600 ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
17:49:47.0930 5004 MountMgr - ok
17:49:47.0960 5004 [ 46297FA8E30A6007F14118FC2B942FBC ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
17:49:47.0963 5004 MozillaMaintenance - ok
17:49:47.0993 5004 [ 95675C3398DCC084C8D1DC35CC4E9E01 ] MPFP C:\Windows\system32\Drivers\Mpfp.sys
17:49:47.0996 5004 MPFP - ok
17:49:48.0019 5004 [ 511D011289755DD9F9A7579FB0B064E6 ] mpio C:\Windows\system32\drivers\mpio.sys
17:49:48.0022 5004 mpio - ok
17:49:48.0037 5004 [ 22241FEBA9B2DEFA669C8CB0A8DD7D2E ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
17:49:48.0039 5004 mpsdrv - ok
17:49:48.0079 5004 [ D1639BA315B0D79DEC49A4B0E1FB929B ] MpsSvc C:\Windows\system32\mpssvc.dll
17:49:48.0098 5004 MpsSvc - ok
17:49:48.0119 5004 [ 4FBBB70D30FD20EC51F80061703B001E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
17:49:48.0121 5004 Mraid35x - ok
17:49:48.0147 5004 [ AE3DE84536B6799D2267443CEC8EDBB9 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
17:49:48.0150 5004 MRxDAV - ok
17:49:48.0166 5004 [ C4AD205530888404E2B5FC8D9319B119 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
17:49:48.0169 5004 mrxsmb - ok
17:49:48.0194 5004 [ 7F14576D4F7B1930F951FE585201BBA4 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:49:48.0199 5004 mrxsmb10 - ok
17:49:48.0208 5004 [ 3268B8C3FA92BFC086355C39B45E9CC9 ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:49:48.0211 5004 mrxsmb20 - ok
17:49:48.0227 5004 [ 28023E86F17001F7CD9B15A5BC9AE07D ] msahci C:\Windows\system32\drivers\msahci.sys
17:49:48.0229 5004 msahci - ok
17:49:48.0265 5004 [ AAAC4B494DE45836121A40AEC980B631 ] MsDepSvc C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe
17:49:48.0267 5004 MsDepSvc - ok
17:49:48.0284 5004 [ 4468B0F385A86ECDDAF8D3CA662EC0E7 ] msdsm C:\Windows\system32\drivers\msdsm.sys
17:49:48.0287 5004 msdsm - ok
17:49:48.0303 5004 [ FD7520CC3A80C5FC8C48852BB24C6DED ] MSDTC C:\Windows\System32\msdtc.exe
17:49:48.0307 5004 MSDTC - ok
17:49:48.0332 5004 [ A9927F4A46B816C92F461ACB90CF8515 ] Msfs C:\Windows\system32\drivers\Msfs.sys
17:49:48.0334 5004 Msfs - ok
17:49:48.0354 5004 [ 0F400E306F385C56317357D6DEA56F62 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
17:49:48.0355 5004 msisadrv - ok
17:49:48.0392 5004 [ 85466C0757A23D9A9AECDC0755203CB2 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
17:49:48.0396 5004 MSiSCSI - ok
17:49:48.0404 5004 msiserver - ok
17:49:48.0434 5004 [ 7047A47C4476ED8865CACF811A709BA9 ] MSK80Service C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
17:49:48.0437 5004 MSK80Service - ok
17:49:48.0448 5004 [ D8C63D34D9C9E56C059E24EC7185CC07 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
17:49:48.0450 5004 MSKSSRV - ok
17:49:48.0473 5004 [ 1D373C90D62DDB641D50E55B9E78D65E ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
17:49:48.0474 5004 MSPCLOCK - ok
17:49:48.0496 5004 [ B572DA05BF4E098D4BBA3A4734FB505B ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
17:49:48.0497 5004 MSPQM - ok
17:49:48.0516 5004 [ B5614AECB05A9340AA0FB55BF561CC63 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
17:49:48.0521 5004 MsRPC - ok
17:49:48.0542 5004 [ E384487CB84BE41D09711C30CA79646C ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
17:49:48.0544 5004 mssmbios - ok
17:49:48.0589 5004 MSSQL$SQLEXPRESS - ok
17:49:48.0645 5004 [ F1761C8FB2B25A32C6D63E36BB88C3AE ] MSSQLServerADHelper100 c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
17:49:48.0648 5004 MSSQLServerADHelper100 - ok
17:49:48.0670 5004 [ 7199C1EEC1E4993CAF96B8C0A26BD58A ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
17:49:48.0672 5004 MSTEE - ok
17:49:48.0684 5004 [ 6DFD1D322DE55B0B7DB7D21B90BEC49C ] Mup C:\Windows\system32\Drivers\mup.sys
17:49:48.0686 5004 Mup - ok
17:49:48.0716 5004 MySQL - ok
17:49:48.0746 5004 [ C43B25863FBD65B6D2A142AF3AE320CA ] napagent C:\Windows\system32\qagentRT.dll
17:49:48.0751 5004 napagent - ok
17:49:48.0776 5004 [ 3C21CE48FF529BB73DADB98770B54025 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
17:49:48.0780 5004 NativeWifiP - ok
17:49:48.0807 5004 [ 9BDC71790FA08F0A0B5F10462B1BD0B1 ] NDIS C:\Windows\system32\drivers\ndis.sys
17:49:48.0824 5004 NDIS - ok
17:49:48.0834 5004 [ 0E186E90404980569FB449BA7519AE61 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
17:49:48.0836 5004 NdisTapi - ok
17:49:48.0846 5004 [ D6973AA34C4D5D76C0430B181C3CD389 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
17:49:48.0848 5004 Ndisuio - ok
17:49:48.0868 5004 [ 3D14C3B3496F88890D431E8AA022A411 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
17:49:48.0871 5004 NdisWan - ok
17:49:48.0885 5004 [ 71DAB552B41936358F3B541AE5997FB3 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
17:49:48.0888 5004 NDProxy - ok
17:49:48.0903 5004 [ BCD093A5A6777CF626434568DC7DBA78 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
17:49:48.0905 5004 NetBIOS - ok
17:49:48.0919 5004 [ 7C5FEE5B1C5728507CD96FB4A13E7A02 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
17:49:48.0923 5004 netbt - ok
17:49:48.0928 5004 [ A911ECAC81F94ADEAFBE8E3F7873EDB0 ] Netlogon C:\Windows\system32\lsass.exe
17:49:48.0930 5004 Netlogon - ok
17:49:48.0963 5004 [ C8052711DAECC48B982434C5116CA401 ] Netman C:\Windows\System32\netman.dll
17:49:48.0968 5004 Netman - ok
17:49:48.0984 5004 [ 2EF3BBE22E5A5ACD1428EE387A0D0172 ] netprofm C:\Windows\System32\netprofm.dll
17:49:48.0989 5004 netprofm - ok
17:49:49.0014 5004 [ 0AD5876EF4E9EB77C8F93EB5B2FFF386 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:49:49.0017 5004 NetTcpPortSharing - ok
17:49:49.0082 5004 [ 6E9EDC1020B319E7676387B8CDF2398C ] NETw2v32 C:\Windows\system32\DRIVERS\NETw2v32.sys
17:49:49.0126 5004 NETw2v32 - ok
17:49:49.0146 5004 [ 2E7FB731D4790A1BC6270ACCEFACB36E ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
17:49:49.0151 5004 nfrd960 - ok
17:49:49.0162 5004 [ 2997B15415F9BBE05B5A4C1C85E0C6A2 ] NlaSvc C:\Windows\System32\nlasvc.dll
17:49:49.0167 5004 NlaSvc - ok
17:49:49.0182 5004 [ ECB5003F484F9ED6C608D6D6C7886CBB ] Npfs C:\Windows\system32\drivers\Npfs.sys
17:49:49.0184 5004 Npfs - ok
17:49:49.0195 5004 [ 8BB86F0C7EEA2BDED6FE095D0B4CA9BD ] nsi C:\Windows\system32\nsisvc.dll
17:49:49.0198 5004 nsi - ok
17:49:49.0218 5004 [ 609773E344A97410CE4EBF74A8914FCF ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
17:49:49.0219 5004 nsiproxy - ok
17:49:49.0273 5004 [ B4EFFE29EB4F15538FD8A9681108492D ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
17:49:49.0306 5004 Ntfs - ok
17:49:49.0318 5004 [ E875C093AEC0C978A90F30C9E0DFBB72 ] ntrigdigi C:\Windows\system32\drivers\ntrigdigi.sys
17:49:49.0320 5004 ntrigdigi - ok
17:49:49.0357 5004 [ CF7E041663119E09D2E118521ADA9300 ] NuidFltr C:\Windows\system32\DRIVERS\NuidFltr.sys
17:49:49.0359 5004 NuidFltr - ok
17:49:49.0373 5004 [ C5DBBCDA07D780BDA9B685DF333BB41E ] Null C:\Windows\system32\drivers\Null.sys
17:49:49.0375 5004 Null - ok
17:49:49.0408 5004 [ 1657F3FBD9061526C14FF37E79306F98 ] NVENETFD C:\Windows\system32\DRIVERS\nvm60x32.sys
17:49:49.0416 5004 NVENETFD - ok
17:49:49.0582 5004 [ 2088F34DF31243C79DF3E9F6F774A512 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
17:49:49.0704 5004 nvlddmkm - ok
17:49:49.0732 5004 [ 2EDF9E7751554B42CBB60116DE727101 ] nvraid C:\Windows\system32\drivers\nvraid.sys
17:49:49.0735 5004 nvraid - ok
17:49:49.0741 5004 [ ABED0C09758D1D97DB0042DBB2688177 ] nvstor C:\Windows\system32\drivers\nvstor.sys
17:49:49.0743 5004 nvstor - ok
17:49:49.0770 5004 [ A1CE1A6FD74C046F029448FCFA5E386D ] nvstor32 C:\Windows\system32\DRIVERS\nvstor32.sys
17:49:49.0771 5004 nvstor32 - ok
17:49:49.0783 5004 [ 18BBDF913916B71BD54575BDB6EEAC0B ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
17:49:49.0787 5004 nv_agp - ok
17:49:49.0793 5004 NwlnkFlt - ok
17:49:49.0800 5004 NwlnkFwd - ok
17:49:49.0873 5004 [ 1F0E05DFF4F5A833168E49BE1256F002 ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
17:49:49.0881 5004 odserv - ok
17:49:49.0903 5004 [ 790E27C3DB53410B40FF9EF2FD10A1D9 ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
17:49:49.0905 5004 ohci1394 - ok
17:49:49.0932 5004 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:49:49.0935 5004 ose - ok
17:49:49.0975 5004 [ 5DE1A3972FD3112C75EB17BDCF454169 ] p2pimsvc C:\Windows\system32\p2psvc.dll
17:49:49.0993 5004 p2pimsvc - ok
17:49:50.0009 5004 [ 5DE1A3972FD3112C75EB17BDCF454169 ] p2psvc C:\Windows\system32\p2psvc.dll
17:49:50.0015 5004 p2psvc - ok
17:49:50.0037 5004 [ 0FA9B5055484649D63C303FE404E5F4D ] Parport C:\Windows\system32\drivers\parport.sys
17:49:50.0039 5004 Parport - ok
17:49:50.0055 5004 [ 3B38467E7C3DAED009DFE359E17F139F ] partmgr C:\Windows\system32\drivers\partmgr.sys
17:49:50.0057 5004 partmgr - ok
17:49:50.0067 5004 [ 4F9A6A8A31413180D0FCB279AD5D8112 ] Parvdm C:\Windows\system32\drivers\parvdm.sys
17:49:50.0068 5004 Parvdm - ok
17:49:50.0103 5004 [ 5FBCC9EEEFACA3019D5BD5979618F298 ] PassThru Service C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
17:49:50.0105 5004 PassThru Service - ok
17:49:50.0134 5004 [ C6276AD11F4BB49B58AA1ED88537F14A ] PcaSvc C:\Windows\System32\pcasvc.dll
17:49:50.0137 5004 PcaSvc - ok
17:49:50.0148 5004 [ 01B94418DEB235DFF777CC80076354B4 ] pci C:\Windows\system32\drivers\pci.sys
17:49:50.0151 5004 pci - ok
17:49:50.0164 5004 [ FC175F5DDAB666D7F4D17449A547626F ] pciide C:\Windows\system32\drivers\pciide.sys
17:49:50.0165 5004 pciide - ok
17:49:50.0195 5004 [ B7C5A8769541900F6DFA6FE0C5E4D513 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
17:49:50.0199 5004 pcmcia - ok
17:49:50.0238 5004 [ 6EF125721A9F1F7DBF3229786F7DECD0 ] PCTCore C:\Windows\system32\drivers\PCTCore.sys
17:49:50.0243 5004 PCTCore - ok
17:49:50.0257 5004 [ F820B4C61D1E591325B679D479D4EEA4 ] pctDS C:\Windows\system32\drivers\pctDS.sys
17:49:50.0262 5004 pctDS - ok
17:49:50.0280 5004 [ ACC8C15F3D59F17C5D903FF1DE3B43D3 ] pctEFA C:\Windows\system32\drivers\pctEFA.sys
17:49:50.0297 5004 pctEFA - ok
17:49:50.0328 5004 [ 6349F6ED9C623B44B52EA3C63C831A92 ] PEAUTH C:\Windows\system32\drivers\peauth.sys
17:49:50.0345 5004 PEAUTH - ok
17:49:50.0406 5004 [ B1689DF169143F57053F795390C99DB3 ] pla C:\Windows\system32\pla.dll
17:49:50.0429 5004 pla - ok
17:49:50.0454 5004 [ 78F975CB6D18265BE6F492EDB2D7BC7B ] PlugPlay C:\Windows\system32\umpnpmgr.dll
17:49:50.0462 5004 PlugPlay - ok
17:49:50.0508 5004 [ 5DE1A3972FD3112C75EB17BDCF454169 ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
17:49:50.0513 5004 PNRPAutoReg - ok
17:49:50.0533 5004 [ 5DE1A3972FD3112C75EB17BDCF454169 ] PNRPsvc C:\Windows\system32\p2psvc.dll
17:49:50.0539 5004 PNRPsvc - ok
17:49:50.0566 5004 [ 04DF0452FBEDEDF9297FD2E5440CB3C9 ] Point32 C:\Windows\system32\DRIVERS\point32k.sys
17:49:50.0569 5004 Point32 - ok
17:49:50.0612 5004 [ 47B8F37AA18B74D8C2E1BC1A7A2C8F8A ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
17:49:50.0619 5004 PolicyAgent - ok
17:49:50.0655 5004 [ ECFFFAEC0C1ECD8DBC77F39070EA1DB1 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
17:49:50.0657 5004 PptpMiniport - ok
17:49:50.0683 5004 [ 2027293619DD0F047C584CF2E7DF4FFD ] Processor C:\Windows\system32\drivers\processr.sys
17:49:50.0684 5004 Processor - ok
17:49:50.0711 5004 [ B627E4FC8585E8843C5905D4D3587A90 ] ProfSvc C:\Windows\system32\profsvc.dll
17:49:50.0715 5004 ProfSvc - ok
17:49:50.0729 5004 [ A911ECAC81F94ADEAFBE8E3F7873EDB0 ] ProtectedStorage C:\Windows\system32\lsass.exe
17:49:50.0731 5004 ProtectedStorage - ok
17:49:50.0758 5004 [ BFEF604508A0ED1EAE2A73E872555FFB ] PSched C:\Windows\system32\DRIVERS\pacer.sys
17:49:50.0760 5004 PSched - ok
17:49:50.0786 5004 [ D24DFD16A1E2A76034DF5AA18125C35D ] PSI C:\Windows\system32\DRIVERS\psi_mf.sys
17:49:50.0787 5004 PSI - ok
17:49:50.0812 5004 [ D970470F8F39470BDAE94D313A1CCDCE ] PxHelp20 C:\Windows\system32\Drivers\PxHelp20.sys
17:49:50.0814 5004 PxHelp20 - ok
17:49:50.0855 5004 [ 91195091F449699B176FE1305DAD40DA ] QBCFMonitorService C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
17:49:50.0856 5004 QBCFMonitorService - ok
17:49:50.0902 5004 [ 6BEE1814470DC12FA20C53DFC3C97EBB ] QBFCService C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
17:49:50.0904 5004 QBFCService - ok
17:49:50.0971 5004 [ 9E5E9AF398D1AE13B67B623D5C695BA9 ] QBVSS C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
17:49:50.0996 5004 QBVSS - ok
17:49:51.0033 5004 [ 0A6DB55AFB7820C99AA1F3A1D270F4F6 ] ql2300 C:\Windows\system32\drivers\ql2300.sys
17:49:51.0058 5004 ql2300 - ok
17:49:51.0070 5004 [ 81A7E5C076E59995D54BC1ED3A16E60B ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
17:49:51.0073 5004 ql40xx - ok
17:49:51.0099 5004 [ E9ECAE663F47E6CB43962D18AB18890F ] QWAVE C:\Windows\system32\qwave.dll
17:49:51.0107 5004 QWAVE - ok
17:49:51.0122 5004 [ 9F5E0E1926014D17486901C88ECA2DB7 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
17:49:51.0123 5004 QWAVEdrv - ok
17:49:51.0136 5004 [ 147D7F9C556D259924351FEB0DE606C3 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
17:49:51.0138 5004 RasAcd - ok
17:49:51.0150 5004 [ F6A452EB4CEADBB51C9E0EE6B3ECEF0F ] RasAuto C:\Windows\System32\rasauto.dll
17:49:51.0154 5004 RasAuto - ok
17:49:51.0165 5004 [ A214ADBAF4CB47DD2728859EF31F26B0 ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
17:49:51.0167 5004 Rasl2tp - ok
17:49:51.0179 5004 [ 6E7C284FC5C4EC07AD164D93810385A6 ] RasMan C:\Windows\System32\rasmans.dll
17:49:51.0188 5004 RasMan - ok
17:49:51.0199 5004 [ 3E9D9B048107B40D87B97DF2E48E0744 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
17:49:51.0201 5004 RasPppoe - ok
17:49:51.0215 5004 [ A7D141684E9500AC928A772ED8E6B671 ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
17:49:51.0218 5004 RasSstp - ok
17:49:51.0232 5004 [ 6E1C5D0457622F9EE35F683110E93D14 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
17:49:51.0237 5004 rdbss - ok
17:49:51.0249 5004 [ 89E59BE9A564262A3FB6C4F4F1CD9899 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
17:49:51.0251 5004 RDPCDD - ok
17:49:51.0275 5004 [ FBC0BACD9C3D7F6956853F64A66E252D ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
17:49:51.0279 5004 rdpdr - ok
17:49:51.0286 5004 [ 9D91FE5286F748862ECFFA05F8A0710C ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
17:49:51.0288 5004 RDPENCDD - ok
17:49:51.0311 5004 [ E1C18F4097A5ABCEC941DC4B2F99DB7E ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
17:49:51.0315 5004 RDPWD - ok
17:49:51.0363 5004 [ BCDD6B4804D06B1F7EBF29E53A57ECE9 ] RemoteAccess C:\Windows\System32\mprdim.dll
17:49:51.0366 5004 RemoteAccess - ok
17:49:51.0395 5004 [ CC4E32400F3C7253400CF8F3F3A0B676 ] RemoteRegistry C:\Windows\system32\regsvc.dll
17:49:51.0399 5004 RemoteRegistry - ok
17:49:51.0427 5004 [ 5123F83CBC4349D065534EEB6BBDC42B ] RpcLocator C:\Windows\system32\locator.exe
17:49:51.0429 5004 RpcLocator - ok
17:49:51.0457 5004 [ 301AE00E12408650BADDC04DBC832830 ] RpcSs C:\Windows\system32\rpcss.dll
17:49:51.0464 5004 RpcSs - ok
17:49:51.0491 5004 [ FEDD2710B75BE3ECF078ADACE790C423 ] RsFx0102 C:\Windows\system32\DRIVERS\RsFx0102.sys
17:49:51.0496 5004 RsFx0102 - ok
17:49:51.0522 5004 [ 9C508F4074A39E8B4B31D27198146FAD ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
17:49:51.0524 5004 rspndr - ok
17:49:51.0557 5004 [ 59B8716084597C9D6D7165835C8479C1 ] RTSTOR C:\Windows\system32\drivers\RTSTOR.SYS
17:49:51.0559 5004 RTSTOR - ok
17:49:51.0567 5004 [ A911ECAC81F94ADEAFBE8E3F7873EDB0 ] SamSs C:\Windows\system32\lsass.exe
17:49:51.0569 5004 SamSs - ok
17:49:51.0588 5004 [ 3CE8F073A557E172B330109436984E30 ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
17:49:51.0591 5004 sbp2port - ok
17:49:51.0640 5004 [ A0C00A6265949AC72AB51B711743CA6D ] SBSDWSCService C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
17:49:51.0646 5004 SBSDWSCService - ok
17:49:51.0677 5004 [ 11387E32642269C7E62E8B52C060B3C6 ] SCardSvr C:\Windows\System32\SCardSvr.dll
17:49:51.0682 5004 SCardSvr - ok
17:49:51.0706 5004 [ 1D5E99DB3C10F4FA034010DC49043CA4 ] Schedule C:\Windows\system32\schedsvc.dll
17:49:51.0723 5004 Schedule - ok
17:49:51.0754 5004 [ 87C2D0377B23E2D8A41093C2F5FB1A5B ] SCPolicySvc C:\Windows\System32\certprop.dll
17:49:51.0756 5004 SCPolicySvc - ok
17:49:51.0779 5004 [ 126EA89BCC413EE45E3004FB0764888F ] sdbus C:\Windows\system32\DRIVERS\sdbus.sys
17:49:51.0782 5004 sdbus - ok
17:49:51.0797 5004 [ 716313D9F6B0529D03F726D5AAF6F191 ] SDRSVC C:\Windows\System32\SDRSVC.dll
17:49:51.0802 5004 SDRSVC - ok
17:49:51.0815 5004 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
17:49:51.0817 5004 secdrv - ok
17:49:51.0830 5004 [ FD5199D4D8A521005E4B5EE7FE00FA9B ] seclogon C:\Windows\system32\seclogon.dll
17:49:51.0834 5004 seclogon - ok
17:49:51.0899 5004 [ F70A51EB03EE7046784EF62EFCE9528E ] Secunia PSI Agent C:\Program Files\Secunia\PSI\PSIA.exe
17:49:51.0910 5004 Secunia PSI Agent - ok
17:49:51.0930 5004 [ AD56CEB08EEB517332355FDE9E5939C8 ] Secunia Update Agent C:\Program Files\Secunia\PSI\sua.exe
17:49:51.0947 5004 Secunia Update Agent - ok
17:49:51.0958 5004 [ A9BBAB5759771E523F55563D6CBE140F ] SENS C:\Windows\system32\sens.dll
17:49:51.0962 5004 SENS - ok
17:49:51.0988 5004 [ 68E44E331D46F0FB38F0863A84CD1A31 ] Serenum C:\Windows\system32\drivers\serenum.sys
17:49:51.0990 5004 Serenum - ok
17:49:52.0007 5004 [ C70D69A918B178D3C3B06339B40C2E1B ] Serial C:\Windows\system32\drivers\serial.sys
17:49:52.0010 5004 Serial - ok
17:49:52.0029 5004 [ 8AF3D28A879BF75DB53A0EE7A4289624 ] sermouse C:\Windows\system32\drivers\sermouse.sys
17:49:52.0031 5004 sermouse - ok
17:49:52.0094 5004 servicedesk - ok
17:49:52.0125 5004 [ D2193326F729B163125610DBF3E17D57 ] SessionEnv C:\Windows\system32\sessenv.dll
17:49:52.0130 5004 SessionEnv - ok
17:49:52.0145 5004 [ 3EFA810BDCA87F6ECC24F9832243FE86 ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
17:49:52.0147 5004 sffdisk - ok
17:49:52.0157 5004 [ E95D451F7EA3E583AEC75F3B3EE42DC5 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
17:49:52.0159 5004 sffp_mmc - ok
17:49:52.0176 5004 [ 3D0EA348784B7AC9EA9BD9F317980979 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
17:49:52.0178 5004 sffp_sd - ok
17:49:52.0187 5004 [ 46ED8E91793B2E6F848015445A0AC188 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
17:49:52.0189 5004 sfloppy - ok
17:49:52.0211 5004 [ E1499BD0FF76B1B2FBBF1AF339D91165 ] SharedAccess C:\Windows\System32\ipnathlp.dll
17:49:52.0220 5004 SharedAccess - ok
17:49:52.0240 5004 [ 27F10F348E508243F6254846F8370D0D ] ShellHWDetection C:\Windows\System32\shsvcs.dll
17:49:52.0246 5004 ShellHWDetection - ok
17:49:52.0265 5004 [ 1D76624A09A054F682D746B924E2DBC3 ] sisagp C:\Windows\system32\drivers\sisagp.sys
17:49:52.0267 5004 sisagp - ok
17:49:52.0281 5004 [ 43CB7AA756C7DB280D01DA9B676CFDE2 ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
17:49:52.0283 5004 SiSRaid2 - ok
17:49:52.0293 5004 [ A99C6C8B0BAA970D8AA59DDC50B57F94 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
17:49:52.0295 5004 SiSRaid4 - ok
17:49:52.0354 5004 [ 0BA91E1358AD25236863039BB2609A2E ] slsvc C:\Windows\system32\SLsvc.exe
17:49:52.0395 5004 slsvc - ok
17:49:52.0411 5004 [ 7C6DC44CA0BFA6291629AB764200D1D4 ] SLUINotify C:\Windows\system32\SLUINotify.dll
17:49:52.0414 5004 SLUINotify - ok
17:49:52.0424 5004 [ 031E6BCD53C9B2B9ACE111EAFEC347B6 ] Smb C:\Windows\system32\DRIVERS\smb.sys
17:49:52.0426 5004 Smb - ok
17:49:52.0441 5004 [ 2A146A055B4401C16EE62D18B8E2A032 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
17:49:52.0444 5004 SNMPTRAP - ok
17:49:52.0456 5004 [ 7AEBDEEF071FE28B0EEF2CDD69102BFF ] spldr C:\Windows\system32\drivers\spldr.sys
17:49:52.0457 5004 spldr - ok
17:49:52.0482 5004 [ 3665F79026A3F91FBCA63F2C65A09B19 ] Spooler C:\Windows\System32\spoolsv.exe
17:49:52.0485 5004 Spooler - ok
17:49:52.0516 5004 [ EB2FD937449B7ACEB39372F875EB8E78 ] SQLAgent$SQLEXPRESS c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE
17:49:52.0523 5004 SQLAgent$SQLEXPRESS - ok
17:49:52.0586 5004 [ 99DE6ACFA5CA83FAD6A765C81C6F129F ] SQLBrowser c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
17:49:52.0591 5004 SQLBrowser - ok
17:49:52.0613 5004 [ 637A0F23F9012358E92E6F99835494D1 ] SQLWriter c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
17:49:52.0615 5004 SQLWriter - ok
17:49:52.0639 5004 [ 3D7C04ABA41AC96BA7E9D123EC8F7FA3 ] srv C:\Windows\system32\DRIVERS\srv.sys
17:49:52.0644 5004 srv - ok
17:49:52.0653 5004 [ 805FAC010405AD3F82EF8DF0BB035D81 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
17:49:52.0656 5004 srv2 - ok
17:49:52.0668 5004 [ F63A0A58AAFE34D7A1A0A74ABCCDD9C0 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
17:49:52.0670 5004 srvnet - ok
17:49:52.0695 5004 [ 03D50B37234967433A5EA5BA72BC0B62 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
17:49:52.0700 5004 SSDPSRV - ok
17:49:52.0720 5004 [ 6F1A32E7B7B30F004D9A20AFADB14944 ] SstpSvc C:\Windows\system32\sstpsvc.dll
17:49:52.0724 5004 SstpSvc - ok
17:49:52.0750 5004 [ 7DD08A597BC56051F320DA0BAF69E389 ] stisvc C:\Windows\System32\wiaservc.dll
17:49:52.0770 5004 stisvc - ok
17:49:52.0783 5004 [ 7BA58ECF0C0A9A69D44B3DCA62BECF56 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
17:49:52.0785 5004 swenum - ok
17:49:52.0853 5004 [ F577910A133A592234EBAAD3F3AFA258 ] SwitchBoard C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
17:49:52.0870 5004 SwitchBoard - ok
17:49:52.0886 5004 [ B36C7CDB86F7F7A8E884479219766950 ] swprv C:\Windows\System32\swprv.dll
17:49:52.0894 5004 swprv - ok
17:49:52.0909 5004 [ 192AA3AC01DF071B541094F251DEED10 ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
17:49:52.0911 5004 Symc8xx - ok
17:49:52.0916 5004 SymIM - ok
17:49:52.0925 5004 SymIMMP - ok
17:49:52.0938 5004 [ 8C8EB8C76736EBAF3B13B633B2E64125 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
17:49:52.0940 5004 Sym_hi - ok
17:49:52.0952 5004 [ 8072AF52B5FD103BBBA387A1E49F62CB ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
17:49:52.0954 5004 Sym_u3 - ok
17:49:52.0977 5004 [ 8710A92D0024B03B5FB9540DF1F71F1D ] SysMain C:\Windows\system32\sysmain.dll
17:49:52.0994 5004 SysMain - ok
17:49:53.0008 5004 [ 2DCA225EAE15F42C0933E998EE0231C3 ] TabletInputService C:\Windows\System32\TabSvc.dll
17:49:53.0012 5004 TabletInputService - ok
17:49:53.0110 5004 [ 629021756C8FC4C579849A823C471CB3 ] TabletServicePen C:\Windows\system32\Pen_Tablet.exe
17:49:53.0176 5004 TabletServicePen - ok
17:49:53.0194 5004 [ 680916BB09EE0F3A6ACA7C274B0D633F ] TapiSrv C:\Windows\System32\tapisrv.dll
17:49:53.0200 5004 TapiSrv - ok
17:49:53.0222 5004 [ CB05822CD9CC6C688168E113C603DBE7 ] TBS C:\Windows\System32\tbssvc.dll
17:49:53.0226 5004 TBS - ok
17:49:53.0289 5004 [ 782568AB6A43160A159B6215B70BCCE9 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
17:49:53.0306 5004 Tcpip - ok
17:49:53.0329 5004 [ 782568AB6A43160A159B6215B70BCCE9 ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
17:49:53.0336 5004 Tcpip6 - ok
17:49:53.0368 5004 [ D4A2E4A4B011F3A883AF77315A5AE76B ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
17:49:53.0370 5004 tcpipreg - ok
17:49:53.0386 5004 [ 5DCF5E267BE67A1AE926F2DF77FBCC56 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
17:49:53.0388 5004 TDPIPE - ok
17:49:53.0407 5004 [ 389C63E32B3CEFED425B61ED92D3F021 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
17:49:53.0409 5004 TDTCP - ok
17:49:53.0422 5004 [ D09276B1FAB033CE1D40DCBDF303D10F ] tdx C:\Windows\system32\DRIVERS\tdx.sys
17:49:53.0425 5004 tdx - ok
17:49:53.0436 5004 [ A048056F5E1A96A9BF3071B91741A5AA ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
17:49:53.0438 5004 TermDD - ok
17:49:53.0460 5004 [ D605031E225AACCBCEB5B76A4F1603A6 ] TermService C:\Windows\System32\termsrv.dll
17:49:53.0477 5004 TermService - ok
17:49:53.0491 5004 [ 27F10F348E508243F6254846F8370D0D ] Themes C:\Windows\system32\shsvcs.dll
17:49:53.0495 5004 Themes - ok
17:49:53.0510 5004 [ 1076FFCFFAAE8385FD62DFCB25AC4708 ] THREADORDER C:\Windows\system32\mmcss.dll
17:49:53.0512 5004 THREADORDER - ok
17:49:53.0528 5004 [ EC74E77D0EB004BD3A809B5F8FB8C2CE ] TrkWks C:\Windows\System32\trkwks.dll
17:49:53.0532 5004 TrkWks - ok
17:49:53.0571 5004 [ 16613A1BAD034D4ECF957AF18B7C2FF5 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
17:49:53.0573 5004 TrustedInstaller - ok
17:49:53.0608 5004 [ DCF0F056A2E4F52287264F5AB29CF206 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
17:49:53.0610 5004 tssecsrv - ok
17:49:53.0634 5004 [ CAECC0120AC49E3D2F758B9169872D38 ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
17:49:53.0636 5004 tunmp - ok
17:49:53.0642 5004 [ 119B8184E106BAEDC83FCE5DDF3950DA ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
17:49:53.0644 5004 tunnel - ok
17:49:53.0662 5004 [ 7D33C4DB2CE363C8518D2DFCF533941F ] uagp35 C:\Windows\system32\drivers\uagp35.sys
17:49:53.0664 5004 uagp35 - ok
17:49:53.0683 5004 [ 8B5088058FA1D1CD897A2113CCFF6C58 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
17:49:53.0688 5004 udfs - ok
17:49:53.0718 5004 [ ECEF404F62863755951E09C802C94AD5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
17:49:53.0722 5004 UI0Detect - ok
17:49:53.0738 5004 [ B0ACFDC9E4AF279E9116C03E014B2B27 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
17:49:53.0740 5004 uliagpkx - ok
17:49:53.0756 5004 [ 9224BB254F591DE4CA8D572A5F0D635C ] uliahci C:\Windows\system32\drivers\uliahci.sys
17:49:53.0761 5004 uliahci - ok
17:49:53.0781 5004 [ 8514D0E5CD0534467C5FC61BE94A569F ] UlSata C:\Windows\system32\drivers\ulsata.sys
17:49:53.0785 5004 UlSata - ok
17:49:53.0809 5004 [ 38C3C6E62B157A6BC46594FADA45C62B ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
17:49:53.0812 5004 ulsata2 - ok
17:49:53.0828 5004 [ 32CFF9F809AE9AED85464492BF3E32D2 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
17:49:53.0830 5004 umbus - ok
17:49:53.0847 5004 [ 68308183F4AE0BE7BF8ECD07CB297999 ] upnphost C:\Windows\System32\upnphost.dll
17:49:53.0856 5004 upnphost - ok
17:49:53.0900 5004 [ 292A25BB75A568AE2C67169BA2C6365A ] usbaudio C:\Windows\system32\drivers\usbaudio.sys
17:49:53.0902 5004 usbaudio - ok
17:49:53.0928 5004 [ CAF811AE4C147FFCD5B51750C7F09142 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
17:49:53.0930 5004 usbccgp - ok
17:49:53.0946 5004 [ E9476E6C486E76BC4898074768FB7131 ] usbcir C:\Windows\system32\drivers\usbcir.sys
17:49:53.0948 5004 usbcir - ok
17:49:53.0965 5004 [ CEBE90821810E76320155BEBA722FCF9 ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
17:49:53.0966 5004 usbehci - ok
17:49:53.0982 5004 [ CC6B28E4CE39951357963119CE47B143 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
17:49:53.0986 5004 usbhub - ok
17:49:54.0010 5004 [ 7BDB7B0E7D45AC0402D78B90789EF47C ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
17:49:54.0011 5004 usbohci - ok
17:49:54.0032 5004 [ E75C4B5269091D15A2E7DC0B6D35F2F5 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
17:49:54.0033 5004 usbprint - ok
17:49:54.0072 5004 [ A508C9BD8724980512136B039BBA65E9 ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
17:49:54.0073 5004 usbscan - ok
17:49:54.0089 5004 [ 87BA6B83C5D19B69160968D07D6E2982 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
17:49:54.0090 5004 USBSTOR - ok
17:49:54.0103 5004 [ 814D653EFC4D48BE3B04A307ECEFF56F ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
17:49:54.0105 5004 usbuhci - ok
17:49:54.0128 5004 [ EE181A08E09DB23CF4A49B46A1E66BB8 ] usb_rndisx C:\Windows\system32\DRIVERS\usb8023x.sys
17:49:54.0130 5004 usb_rndisx - ok
17:49:54.0153 5004 [ 032A0ACC3909AE7215D524E29D536797 ] UxSms C:\Windows\System32\uxsms.dll
17:49:54.0157 5004 UxSms - ok
17:49:54.0162 5004 VClone - ok
17:49:54.0174 5004 [ B13BC395B9D6116628F5AF47E0802AC4 ] vds C:\Windows\System32\vds.exe
17:49:54.0181 5004 vds - ok
17:49:54.0195 5004 [ 87B06E1F30B749A114F74622D013F8D4 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
17:49:54.0197 5004 vga - ok
17:49:54.0206 5004 [ 2E93AC0A1D8C79D019DB6C51F036636C ] VgaSave C:\Windows\System32\drivers\vga.sys
17:49:54.0208 5004 VgaSave - ok
17:49:54.0220 5004 [ 5D7159DEF58A800D5781BA3A879627BC ] viaagp C:\Windows\system32\drivers\viaagp.sys
17:49:54.0222 5004 viaagp - ok
17:49:54.0234 5004 [ C4F3A691B5BAD343E6249BD8C2D45DEE ] ViaC7 C:\Windows\system32\drivers\viac7.sys
17:49:54.0235 5004 ViaC7 - ok
17:49:54.0248 5004 [ AADF5587A4063F52C2C3FED7887426FC ] viaide C:\Windows\system32\drivers\viaide.sys
17:49:54.0249 5004 viaide - ok
17:49:54.0256 5004 [ 69503668AC66C77C6CD7AF86FBDF8C43 ] volmgr C:\Windows\system32\drivers\volmgr.sys
17:49:54.0258 5004 volmgr - ok
17:49:54.0272 5004 [ 98F5FFE6316BD74E9E2C97206C190196 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
17:49:54.0277 5004 volmgrx - ok
17:49:54.0287 5004 [ D8B4A53DD2769F226B3EB374374987C9 ] volsnap C:\Windows\system32\drivers\volsnap.sys
17:49:54.0291 5004 volsnap - ok
17:49:54.0312 5004 [ 587253E09325E6BF226B299774B728A9 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
17:49:54.0315 5004 vsmraid - ok
17:49:54.0355 5004 [ D5FB73D19C46ADE183F968E13F186B23 ] VSS C:\Windows\system32\vssvc.exe
17:49:54.0381 5004 VSS - ok
17:49:54.0426 5004 [ 1CF9206966A8458CDA9A8B20DF8AB7D3 ] W32Time C:\Windows\system32\w32time.dll
17:49:54.0434 5004 W32Time - ok
17:49:54.0535 5004 [ 3BE6FB7ACD994D6EEE9836C4E36F1FFC ] W3SVC C:\Windows\system32\inetsrv\iisw3adm.dll
17:49:54.0543 5004 W3SVC - ok
17:49:54.0631 5004 [ 826A053968D0FAF39AFD8AECFF580CB6 ] wacmoumonitor C:\Windows\system32\DRIVERS\wacmoumonitor.sys
17:49:54.0633 5004 wacmoumonitor - ok
17:49:54.0668 5004 [ 427A8BC96F16C40DF81C2D2F4EDD32DD ] wacommousefilter C:\Windows\system32\DRIVERS\wacommousefilter.sys
17:49:54.0670 5004 wacommousefilter - ok
17:49:54.0685 5004 [ 48DFEE8F1AF7C8235D4E626F0C4FE031 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
17:49:54.0687 5004 WacomPen - ok
17:49:54.0695 5004 [ 51D580F30D1A1F2EA4965AF6ABC2BCB2 ] wacomvhid C:\Windows\system32\DRIVERS\wacomvhid.sys
17:49:54.0696 5004 wacomvhid - ok
17:49:54.0709 5004 [ 889459833432B161CB99CFDF84A1A9BB ] WacomVKHid C:\Windows\system32\DRIVERS\WacomVKHid.sys
17:49:54.0710 5004 WacomVKHid - ok
17:49:54.0725 5004 [ 799C84CE3BD9600172AA53B4EAD8357A ] WacomVTHid C:\Windows\system32\DRIVERS\WacomVTHid.sys
17:49:54.0727 5004 WacomVTHid - ok
17:49:54.0742 5004 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
17:49:54.0744 5004 Wanarp - ok
17:49:54.0749 5004 [ 55201897378CCA7AF8B5EFD874374A26 ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
17:49:54.0751 5004 Wanarpv6 - ok
17:49:54.0769 5004 [ 3BE6FB7ACD994D6EEE9836C4E36F1FFC ] WAS C:\Windows\system32\inetsrv\iisw3adm.dll
17:49:54.0772 5004 WAS - ok
17:49:54.0800 5004 [ F3A5C2E1A6533192B070D06ECF6BE796 ] wcncsvc C:\Windows\System32\wcncsvc.dll
17:49:54.0806 5004 wcncsvc - ok
17:49:54.0821 5004 [ 11BCB7AFCDD7AADACB5746F544D3A9C7 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
17:49:54.0825 5004 WcsPlugInService - ok
17:49:54.0841 5004 [ 78FE9542363F297B18C027B2D7E7C07F ] Wd C:\Windows\system32\drivers\wd.sys
17:49:54.0843 5004 Wd - ok
17:49:54.0893 5004 [ A1A36682DF22777834E1C37F3C79AEC2 ] WDBtnMgrSvc.exe C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
17:49:54.0895 5004 WDBtnMgrSvc.exe - ok
17:49:54.0932 5004 [ 9950E3D0F08141C7E89E64456AE7DC73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
17:49:54.0949 5004 Wdf01000 - ok
17:49:54.0961 5004 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiServiceHost C:\Windows\system32\wdi.dll
17:49:54.0964 5004 WdiServiceHost - ok
17:49:54.0977 5004 [ ABFC76B48BB6C96E3338D8943C5D93B5 ] WdiSystemHost C:\Windows\system32\wdi.dll
17:49:54.0981 5004 WdiSystemHost - ok
17:49:54.0996 5004 [ CF9A5F41789B642DB967021DE06A2713 ] WebClient C:\Windows\System32\webclnt.dll
17:49:55.0002 5004 WebClient - ok
17:49:55.0016 5004 [ 905214925A88311FCE52F66153DE7610 ] Wecsvc C:\Windows\system32\wecsvc.dll
17:49:55.0019 5004 Wecsvc - ok
17:49:55.0036 5004 [ 670FF720071ED741206D69BD995EA453 ] wercplsupport C:\Windows\System32\wercplsupport.dll
17:49:55.0039 5004 wercplsupport - ok
17:49:55.0056 5004 [ FD1965AAA112C6818A30AB02742D0461 ] WerSvc C:\Windows\System32\WerSvc.dll
17:49:55.0060 5004 WerSvc - ok
17:49:55.0091 5004 [ CF27EDAC75C87F2B776D9218F02F8301 ] winachsf C:\Windows\system32\DRIVERS\HSX_CNXT.sys
17:49:55.0108 5004 winachsf - ok
17:49:55.0170 5004 [ 4575AA12561C5648483403541D0D7F2B ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
17:49:55.0175 5004 WinDefend - ok
17:49:55.0185 5004 WinHttpAutoProxySvc - ok
17:49:55.0239 5004 [ 00B79A7C984678F24CF052E5BEB3A2F5 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
17:49:55.0243 5004 Winmgmt - ok
17:49:55.0279 5004 [ 20FC93FDC916843CFDFCAA7A1B0DB16F ] WinRM C:\Windows\system32\WsmSvc.dll
17:49:55.0297 5004 WinRM - ok
17:49:55.0341 5004 [ 275F4346E569DF56CFB95243BD6F6FF0 ] Wlansvc C:\Windows\System32\wlansvc.dll
17:49:55.0359 5004 Wlansvc - ok
17:49:55.0383 5004 [ 2E7255D172DF0B8283CDFB7B433B864E ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
17:49:55.0384 5004 WmiAcpi - ok
17:49:55.0418 5004 [ ABA4CF9F856D9A3A25F4DDD7690A6E9D ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
17:49:55.0422 5004 wmiApSrv - ok
17:49:55.0472 5004 [ 3978704576A121A9204F8CC49A301A9B ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
17:49:55.0489 5004 WMPNetworkSvc - ok
17:49:55.0541 5004 [ 5D94CD167751294962BA238D82DD1BB8 ] WPCSvc C:\Windows\System32\wpcsvc.dll
17:49:55.0547 5004 WPCSvc - ok
17:49:55.0557 5004 [ 396D406292B0CD26E3504FFE82784702 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
17:49:55.0562 5004 WPDBusEnum - ok
17:49:55.0587 5004 [ 0CEC23084B51B8288099EB710224E955 ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
17:49:55.0589 5004 WpdUsb - ok
17:49:55.0611 5004 [ E3A3CB253C0EC2494D4A61F5E43A389C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
17:49:55.0613 5004 ws2ifsl - ok
17:49:55.0643 5004 [ 683DD16B590372F2C9661D277F35E49C ] wscsvc C:\Windows\system32\wscsvc.dll
17:49:55.0648 5004 wscsvc - ok
17:49:55.0654 5004 WSearch - ok
17:49:55.0691 5004 [ F37569C373A4475007835ED77593475C ] WTouchService C:\Program Files\WTouch\WTouchService.exe
17:49:55.0693 5004 WTouchService - ok
17:49:55.0763 5004 [ 6298277B73C77FA99106B271A7525163 ] wuauserv C:\Windows\system32\wuaueng.dll
17:49:55.0804 5004 wuauserv - ok
17:49:55.0833 5004 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
17:49:55.0836 5004 WUDFRd - ok
17:49:55.0865 5004 [ 575A4190D989F64732119E4114045A4F ] wudfsvc C:\Windows\System32\WUDFSvc.dll
17:49:55.0871 5004 wudfsvc - ok
17:49:55.0893 5004 [ 5A7FF9A18FF6D7E0527FE3ABF9204EF8 ] XAudio C:\Windows\system32\DRIVERS\xaudio.sys
17:49:55.0895 5004 XAudio - ok
17:49:55.0918 5004 [ 28DC5D626E036A75A572556F0A6EB1F6 ] XAudioService C:\Windows\system32\DRIVERS\xaudio.exe
17:49:55.0927 5004 XAudioService - ok
17:49:55.0964 5004 [ 7D1F3B131D503EF43EE594B5A2B9B427 ] yukonwlh C:\Windows\system32\DRIVERS\yk60x86.sys
17:49:55.0969 5004 yukonwlh - ok
17:49:55.0980 5004 ================ Scan global ===============================
17:49:56.0006 5004 [ F31EEBC1A1C81FD04005489CC3DCDFE7 ] C:\Windows\system32\basesrv.dll
17:49:56.0045 5004 [ 8B05FAF8603E6FDE90C5B103761CC3F6 ] C:\Windows\system32\winsrv.dll
17:49:56.0076 5004 [ 8B05FAF8603E6FDE90C5B103761CC3F6 ] C:\Windows\system32\winsrv.dll
17:49:56.0116 5004 [ 2B336AB6286D6C81FA02CBAB914E3C6C ] C:\Windows\system32\services.exe
17:49:56.0125 5004 [Global] - ok
17:49:56.0125 5004 ================ Scan MBR ==================================
17:49:56.0144 5004 [ 5C616939100B85E558DA92B899A0FC36 ] \Device\Harddisk0\DR0
17:49:56.0348 5004 \Device\Harddisk0\DR0 - ok
17:49:56.0363 5004 [ DDAE9D649DB12F6AFF24483F2C298989 ] \Device\Harddisk1\DR1
17:49:56.0376 5004 \Device\Harddisk1\DR1 - ok
17:49:56.0379 5004 ================ Scan VBR ==================================
17:49:56.0384 5004 [ 281333A901BDA888EE86AB2D285ABF2F ] \Device\Harddisk0\DR0\Partition1
17:49:56.0388 5004 \Device\Harddisk0\DR0\Partition1 - ok
17:49:56.0396 5004 [ 8FB3E7DA8A866E890FBB7F30328E81E0 ] \Device\Harddisk0\DR0\Partition2
17:49:56.0398 5004 \Device\Harddisk0\DR0\Partition2 - ok
17:49:56.0408 5004 [ 686628A5BC6ECD154DFFAA972BE66FC0 ] \Device\Harddisk1\DR1\Partition1
17:49:56.0409 5004 \Device\Harddisk1\DR1\Partition1 - ok
17:49:56.0411 5004 ============================================================
17:49:56.0411 5004 Scan finished
17:49:56.0411 5004 ============================================================
17:49:56.0431 5096 Detected object count: 1
17:49:56.0431 5096 Actual detected object count: 1
17:50:57.0362 5096 Akamai ( HiddenFile.Multi.Generic ) - skipped by user
17:50:57.0362 5096 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip


I then ran awsMBR. Here is the log from that:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-27 17:54:25
-----------------------------
17:54:25.499 OS Version: Windows 6.0.6001 Service Pack 1
17:54:25.499 Number of processors: 2 586 0x4303
17:54:25.502 ComputerName: KATE-PC UserName: Kate
17:54:43.806 Initialize success
17:55:53.871 AVAST engine download error: 0
17:56:34.960 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005f
17:56:34.971 Disk 0 Vendor: WDC_WD32 01.0 Size: 305245MB BusType: 6
17:56:34.992 Disk 0 MBR read successfully
17:56:35.006 Disk 0 MBR scan
17:56:35.016 Disk 0 Windows VISTA default MBR code
17:56:35.024 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 11209 MB offset 63
17:56:35.041 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 294034 MB offset 22956885
17:56:35.046 Disk 0 scanning sectors +625140400
17:56:35.128 Disk 0 scanning C:\Windows\system32\drivers
17:56:39.423 Service scanning
17:56:51.447 Modules scanning
17:57:10.247 Disk 0 trace - called modules:
17:57:10.273 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys acpi.sys hal.dll storport.sys nvstor32.sys
17:57:10.281 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87164ac8]
17:57:10.291 3 CLASSPNP.SYS[8ada2745] -> nt!IofCallDriver -> [0x869ef528]
17:57:10.302 5 PCTCore.sys[835d0099] -> nt!IofCallDriver -> [0x860dda28]
17:57:10.313 7 acpi.sys[8340e6a0] -> nt!IofCallDriver -> \Device\0000005f[0x8606fc90]
17:57:10.325 Scan finished successfully
18:03:36.695 Disk 0 MBR has been saved successfully to "C:\Users\Kate\Desktop\MBR.dat"
18:03:36.702 The log file has been saved successfully to "C:\Users\Kate\Desktop\aswMBR.txt"
18:04:27.040 Disk 0 MBR has been saved successfully to "Z:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
18:04:27.090 The log file has been saved successfully to "Z:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"

One important issue that seems to have come up only after the first series of runs including Combofix:

The apparently infected PC can now connect to other machines on our inhouse network, but those machines can't connect to it.
I haven't had time to determine if that's just a matter of needing to fine-tune Windows firewall configurations; I slapped that
firewall on as a safety stopgap because McAfee firewall can't be started.

And, finally: MS Access 2000 still can't run. I start it up, get a screen that shows recently opened database files, and
when I select one the application vanishes. The Access.exe process shows as running in Task Manager, but the program can't be,
uh, accessed.

Thanks,

J

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 27 August 2012 - 11:50 PM

Greetings Editor in NC


After my last message I restarted PC again. Windows firewall stayed in place on restart, flagged a couple of
things it found suspicious, one of which had the name "Akamai."

This file is ligit but I will stop it from running later in the cleanup



The apparently infected PC can now connect to other machines on our inhouse network, but those machines can't connect to it.
I haven't had time to determine if that's just a matter of needing to fine-tune Windows firewall configurations; I slapped that
firewall on as a safety stopgap because McAfee firewall can't be started.

Here you got me - the best I can do is IF the time we are done and if it does not work is to send you over to the networking forum

And, finally: MS Access 2000 still can't run. I start it up, get a screen that shows recently opened database files, and
when I select one the application vanishes. The Access.exe process shows as running in Task Manager, but the program can't be,
uh, accessed.

I think with this one when we are done to reinstall it should clear it up



At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

DDS::
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 August 2012 - 09:59 AM

Morning, Gringo.

It took forever, but here's what ComboFix reported after being run with the script:

ComboFix 12-08-25.04 - Kate 08/28/2012 11:35:26.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1321 [GMT -4:00]
Running from: c:\users\Kate\Desktop\ComboFix.exe
Command switches used :: c:\users\Kate\Desktop\CFScript.txt
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-28 )))))))))))))))))))))))))))))))
.
.
2012-08-28 15:46 . 2012-08-28 15:46 -------- d-----w- c:\users\Publisher\AppData\Local\temp
2012-08-28 15:46 . 2012-08-28 15:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-27 19:47 . 2012-08-28 15:47 -------- d-----w- c:\users\Kate\AppData\Local\temp
2012-08-26 23:52 . 2012-08-26 23:52 -------- d-----w- C:\Sam
2012-08-20 20:30 . 2012-08-20 20:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-20 20:30 . 2012-08-20 20:30 -------- d-----w- c:\programdata\Malwarebytes
2012-08-20 20:30 . 2012-07-03 17:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-20 20:07 . 2012-08-20 20:07 -------- d-----w- C:\kleaner.tmp
2012-08-09 17:17 . 2012-04-20 20:40 146872 ----a-w- c:\windows\system32\drivers\HipShieldK.sys
2012-07-30 17:21 . 2012-07-30 17:21 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2012-07-30 17:20 . 2012-07-30 17:20 -------- d-----w- c:\program files\Common Files\xing shared
2012-07-30 17:20 . 2012-07-30 17:20 150736 ----a-w- c:\program files\Mozilla Firefox\plugins\nppl3260.dll
2012-07-30 17:20 . 2012-07-30 17:20 129176 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpplugin.dll
2012-07-30 17:17 . 2012-07-30 17:17 -------- d-----w- c:\program files\Amazon Browser Bar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-14 23:34 . 2012-04-30 20:53 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 23:34 . 2011-06-02 19:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-30 17:19 . 2003-03-18 11:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-06-29 08:44 . 2012-07-17 06:09 6891424 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C543FA18-136A-4FD9-8912-2207C13D52F5}\mpengine.dll
2012-06-22 11:58 . 2010-05-08 10:21 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-06-22 11:55 . 2010-05-08 10:21 206784 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-06-22 11:53 . 2010-05-08 10:21 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-06-22 11:53 . 2010-05-08 10:21 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-06-22 11:52 . 2010-05-08 10:21 554048 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-06-22 11:51 . 2010-05-08 10:21 360792 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-06-22 11:51 . 2010-05-08 10:21 61912 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-06-22 11:50 . 2010-05-08 10:21 230224 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-06-22 11:50 . 2010-05-08 10:21 127992 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-05-31 16:25 . 2011-02-17 21:35 237072 ------w- c:\windows\system32\MpSigStub.exe
2008-10-28 17:52 . 2008-10-28 17:52 7390 ----a-w- c:\program files\xpress.reg
2008-10-28 17:52 . 2008-10-28 17:52 4859904 ----a-w- c:\program files\QuarkXPress.exe
2012-07-27 18:32 . 2012-03-11 22:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-27_19.36.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2012-08-28 14:45 91920 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2012-08-28 14:45 91254 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-27 23:07 . 2012-08-28 14:45 17528 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-211023370-562865107-2750974251-1000_UserData.bin
- 2012-08-27 19:29 . 2012-08-27 19:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-28 14:42 . 2012-08-28 14:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-27 19:29 . 2012-08-27 19:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-28 14:42 . 2012-08-28 14:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-27 22:30 . 2012-08-28 14:42 212992 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-27 22:30 . 2012-08-27 19:32 212992 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-27 22:30 . 2012-08-28 14:42 393216 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-27 22:30 . 2012-08-27 19:32 393216 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-27 22:30 . 2012-08-28 14:42 2883584 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-27 22:30 . 2012-08-27 19:32 2883584 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-08-15 15:03 . 2012-08-28 13:11 10392096 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-08-15 15:03 . 2012-08-27 19:28 10392096 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F443A627-5009-4323-9C1D-7FD598D0D712}]
2012-05-10 00:05 1607472 ----a-w- c:\program files\Amazon Browser Bar\AmazonBrowserBar.3.0.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2010-09-24 222496]
"Akamai NetSession Interface"="c:\users\Kate\AppData\Local\Akamai\netsession_win.exe" [2012-08-10 4440896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-11 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-11 81920]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-07-24 450560]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-06-22 1271968]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-31 4702208]
"QuickBooksDB18"="c:\quickbooks 2008\QBDBMgrN.exe" [2006-09-13 128536]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe" [2007-04-16 259624]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-09-30 2215768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"ButtonMonitor"="c:\program files\IOI\ButtonMonitor.exe" [2007-05-11 53248]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-03-20 611712]
"ISTray"="c:\program files\Spy Doctor PC Tools Security\pctsGui.exe" [2010-12-01 1589208]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-11-05 1468256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-07-30 296096]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2011-11-9 5969752]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-11-9 1156968]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks 2011\QBW32.EXE [2011-11-9 1178984]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2012-6-27 572000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"LocalAccountTokenFilterPolicy"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Event Planner Reminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Event Planner Reminder.lnk
backup=c:\windows\pss\Event Planner Reminder.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Kate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Legalsounds Download Manager.lnk]
path=c:\users\Kate\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Legalsounds Download Manager.lnk
backup=c:\windows\pss\Legalsounds Download Manager.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Kate^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^TimeLeft.lnk]
backup=c:\windows\pss\TimeLeft.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 08:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FontExpertType1Loader]
2011-10-31 16:52 294776 ----a-w- c:\fontexpert\Type1Loader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-18 03:41 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Memeo AutoSync"=c:\program files\Memeo\AutoSync\MemeoLauncher2.exe --silent
"WD Anywhere Backup"=c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe --silent
"Memeo Backup Premium"=c:\program files\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe"
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
"ISTray"="c:\spyware doctor\pctsTray.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"QuickBooksDB18"=c:\quickbooks 2008\QBDBMgrN.exe -n QB_KATE-PC_18 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10180) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe c:\users\Kate\AppData\Local\Intuit\QUICKB~1\Log\DBSTAR~1.LOG -y
"FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"NvSvc"=RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 0042391345679304mcinstcleanup;McAfee Application Installer Cleanup (0042391345679304);c:\windows\TEMP\0042391345679304mcinst.exe [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 23:34]
.
2012-03-10 c:\windows\Tasks\GlaryInitialize.job
- c:\glary utilities pro\Glary Utilities\initialize.exe [2010-01-14 15:08]
.
2012-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 05:26]
.
2012-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-13 05:26]
.
2012-08-28 c:\windows\Tasks\User_Feed_Synchronization-{28FCB36E-94DD-4004-B5EB-B8FB14D69476}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Software
IE: Software\PepiMK Software
IE: Software\PepiMK Software\SpybotSnD
Trusted Zone: ebay.com
Trusted Zone: listen.com\www
TCP: DhcpNameServer = 192.168.1.1
DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab
DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
FF - ProfilePath - c:\users\Kate\AppData\Roaming\Mozilla\Firefox\Profiles\uimbrxzi.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-28 11:46
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_4f7fccd.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(856)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'Explorer.exe'(388)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2012-08-28 11:56:23
ComboFix-quarantined-files.txt 2012-08-28 15:56
ComboFix2.txt 2012-08-27 19:46
.
Pre-Run: 80,996,544,512 bytes free
Post-Run: 80,952,270,848 bytes free
.
- - End Of File - - B35C2D559F3FFB3FD956603318873DA6

All the browsers and Quickbooks gave the "illegal operation attempted on a registry key that has been marked for deletion" error, which disappeared after a restart. But Access continues to fail on file-open, and the PC rejects any attempt to log in or even ping.

On the LAN log-in issue, I've determined that the affected machine won't return a Ping from
other stations on the network. Browsing in networking forums I've seen that this is likely due to
either badly configured firewalls, or duplicate firewalls running simultaneously. Unfortunately,
just turning off the Windows firewall doesn't seem to fix the problem. I see from Task Manager that
some portion of McAfee is still running, though I can't get at its admin interface, and I can't
shut down the process. So I'm guessing the solution for the log-in problem lies there after we kill
whatever is stopping McAfee from running normally.
Meanwhile, we're able to communicate from the sick machine to the other stations, moving files
elsewhere if needed (especially a big Access database that's crucial to our business) so we can
function at something like a normal level.

Bottom line: No real change in performance since yesterday. Still can't use Access, can't control
McAfee, everything runs very sluggishly but Task Manager doesn't show significant resource usage that
I can spot.


Thanks,

J

Edited by Editor in NC, 28 August 2012 - 05:46 PM.


#10 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 August 2012 - 11:00 AM

... still can't ping the machine ...

Edited by Editor in NC, 28 August 2012 - 05:47 PM.


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 28 August 2012 - 07:30 PM

Uninstall McAfee and see how things are after



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 August 2012 - 07:35 PM

Haven't been able to, so far. I tried to uninstall the usual way through control panel, and got blank white screen -- same thing that comes up when I try to start McAfee.

I found a download from McAfee of an uninstall utility (MCPR) which I'm running now. We shall see ...

Edited by Editor in NC, 28 August 2012 - 08:06 PM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 28 August 2012 - 08:06 PM

Download the removal tool from:

http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
  • Click Save and save the file to any folder on your computer.
  • Navigate to the folder where the file is saved.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.EXE to run the removal tool.
    • Note: Windows Vista users must right-click MCPR.EXE and select Run as Administrator.
  • Restart your computer after receiving the message CleanUp Successful.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Editor in NC

Editor in NC
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 28 August 2012 - 08:29 PM

Successfully ran MCPR; all signs of McAfee appear to be gone. (No visible processes running after restart.)

MS Access 2000 will run, now.

But I still can't connect to the PC from outside. Even after turning off Windows firewall, trying to Ping the
PC just got a series of time-outs. (All other PCs on network Ping OK.)

So it's an improvement in some ways, but we still can't operate normally, and certain vital databases that reside
on that machine are inaccessible.

And, of course, there's no firewall and no anti-virus on the machine now. I have a current McAfee subscription so
I can reinstall, but don't want to do that until we know what's causing this networking problem.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:52 AM

Posted 28 August 2012 - 08:41 PM

disregard post

Edited by gringo_pr, 28 August 2012 - 08:42 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users