TechSpot

Yet another infected with a virus attacking svchost.exe

Solved
By A_Wisdom
Sep 21, 2012
  1. I've tried everything I can to get rid of this thing on my own. I've downloaded and run every anti-virus and anti- malware program worth its salt and although they have been able to remove most of the viruses or malware that this SVChost virus has allowed into my system, they have not been able to remove the root problem. Some even caused my computer to be completely un-bootable and required a system recovery.

    Log files below
    Could not get DDS.com to produce a log file. It seemed to run fine, then locked the system
    **************************************************************************************************

    Malwarebytes Anti-Malware (Trial) 1.65.0.1400
    www.malwarebytes.org

    Database version: v2012.09.20.07
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    HP_Owner :: DESKTOP [administrator]

    Protection: Enabled
    9/20/2012 10:36:57 AM
    mbam-log-2012-09-20 (10-36-57).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 319973
    Time elapsed: 42 minute(s), 29 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ***************************************************************
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-09-21 10:01:23
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3250318AS rev.CC38
    Running: i0netgj5.exe; Driver: C:\Users\HP_Owner\AppData\Local\Temp\fwtdapoc.sys


    ---- System - GMER 1.0.15 ----
    Code 93D8BBFC ZwTraceEvent
    Code 93D8BBFB NtTraceEvent
    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 830543C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8308DD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!NtTraceEvent 830DD63A 5 Bytes JMP 93D8BC00
    .text user32.dll!SetUserObjectSecurity 75E32285 8 Bytes [90, E9, 09, 16, 12, EA, 90, ...] {NOP ; JMP 0xffffffffea12160f; NOP ; NOP }
    .text user32.dll!BroadcastSystemMessageExW 75E34255 7 Bytes [90, E9, 89, C2, 11, EA, 90] {NOP ; JMP 0xffffffffea11c28f; NOP }
    .text user32.dll!BroadcastSystemMessageW 75E37CB8 7 Bytes [90, E9, 6E, 85, 11, EA, 90] {NOP ; JMP 0xffffffffea118574; NOP }
    .text user32.dll!PostThreadMessageA 75E3AD09 7 Bytes [90, E9, 29, 46, 11, EA, 90] {NOP ; JMP 0xffffffffea11462f; NOP }
    .text user32.dll!PostThreadMessageA + 8 75E3AD11 2 Bytes [90, 90] {NOP ; NOP }
    .text user32.dll!SendMessageA 75E3AD60 6 Bytes [90, E9, 62, 40, 11, EA] {NOP ; JMP 0xffffffffea114068}
    .text user32.dll!PostMessageA 75E3B446 6 Bytes [90, E9, 34, 3C, 11, EA] {NOP ; JMP 0xffffffffea113c3a}
    .text user32.dll!SendNotifyMessageW 75E3C88A 8 Bytes [90, E9, 2C, 34, 11, EA, 90, ...] {NOP ; JMP 0xffffffffea113432; NOP ; NOP }
    .text user32.dll!SetWindowsHookExW 75E3E30C 7 Bytes [90, E9, F2, 5A, 11, EA, 90] {NOP ; JMP 0xffffffffea115af8; NOP }
    .text user32.dll!SendMessageTimeoutW 75E3E459 7 Bytes [90, E9, A5, 15, 11, EA, 90] {NOP ; JMP 0xffffffffea1115ab; NOP }
    .text user32.dll!PostThreadMessageW 75E3EEFC 8 Bytes [90, E9, 92, 05, 11, EA, 90, ...] {NOP ; JMP 0xffffffffea110598; NOP ; NOP }
    .text user32.dll!SendMessageCallbackW 75E42F7B 6 Bytes [90, E9, CB, C7, 10, EA] {NOP ; JMP 0xffffffffea10c7d1}
    .text user32.dll!PostMessageW 75E4447B 6 Bytes [90, E9, 5B, AD, 10, EA] {NOP ; JMP 0xffffffffea10ad61}
    .text user32.dll!SendMessageW 75E45539 6 Bytes [90, E9, E5, 99, 10, EA] {NOP ; JMP 0xffffffffea1099eb}
    .text user32.dll!SendNotifyMessageA 75E5493C 8 Bytes [90, E9, 1E, B2, 0F, EA, 90, ...] {NOP ; JMP 0xffffffffea0fb224; NOP ; NOP }
    .text user32.dll!SendDlgItemMessageW 75E570D8 9 Bytes [90, E9, 96, 8E, 0F, EA, 90, ...] {NOP ; JMP 0xffffffffea0f8e9c; NOP ; NOP ; NOP }
    .text user32.dll!SendDlgItemMessageA 75E57241 3 Bytes [90, E9, D1]
    .text user32.dll!SendDlgItemMessageA + 4 75E57245 5 Bytes [0F, EA, 90, 90, 90]
    .text user32.dll!OpenClipboard 75E6447E 6 Bytes [90, E9, D8, 94, 0E, EA] {NOP ; JMP 0xffffffffea0e94de}
    .text user32.dll!SetWindowsHookExA 75E66D0C 7 Bytes [90, E9, 96, CF, 0E, EA, 90] {NOP ; JMP 0xffffffffea0ecf9c; NOP }
    .text user32.dll!SendMessageTimeoutA 75E66DA9 7 Bytes [90, E9, F9, 8A, 0E, EA, 90] {NOP ; JMP 0xffffffffea0e8aff; NOP }
    .text user32.dll!SetWindowsHookA 75E7B641 7 Bytes [90, E9, 19, 89, 0D, EA, 90] {NOP ; JMP 0xffffffffea0d891f; NOP }
    .text user32.dll!SetWindowsHookW 75E7B65C 7 Bytes [90, E9, 5A, 8A, 0D, EA, 90] {NOP ; JMP 0xffffffffea0d8a60; NOP }
    .text user32.dll!EndTask 75E7FD66 8 Bytes [90, E9, 00, EF, 0C, EA, 90, ...] {NOP ; JMP 0xffffffffea0cef06; NOP ; NOP }
    .text user32.dll!ExitWindowsEx 75E806C7 8 Bytes [90, E9, E7, 48, 0D, EA, 90, ...] {NOP ; JMP 0xffffffffea0d48ed; NOP ; NOP }
    .text user32.dll!BroadcastSystemMessageExA 75E93B23 7 Bytes [90, E9, 5F, C8, 0B, EA, 90] {NOP ; JMP 0xffffffffea0bc865; NOP }
    .text user32.dll!BroadcastSystemMessage 75E93B4A 7 Bytes [90, E9, 80, C5, 0B, EA, 90] {NOP ; JMP 0xffffffffea0bc586; NOP }
    .text user32.dll!SendMessageCallbackA 75E93E8B 6 Bytes [90, E9, 5F, B7, 0B, EA] {NOP ; JMP 0xffffffffea0bb765}
    .text kernel32.dll!CreateProcessW 75C3204D 7 Bytes [90, E9, ED, C3, 31, EA, 90] {NOP ; JMP 0xffffffffea31c3f3; NOP }
    .text kernel32.dll!CreateProcessA 75C32082 7 Bytes [90, E9, 5C, C2, 31, EA, 90] {NOP ; JMP 0xffffffffea31c262; NOP }
    .text kernel32.dll!VirtualProtect 75C72BCD 6 Bytes [90, E9, 79, 0F, 2E, EA] {NOP ; JMP 0xffffffffea2e0f7f}
    .text kernel32.dll!LoadLibraryExW 75C75079 6 Bytes [90, E9, F1, 8C, 2D, EA] {NOP ; JMP 0xffffffffea2d8cf7}
    .text kernel32.dll!GetProcAddress 75C7CC94 6 Bytes [90, E9, 32, 12, 2D, EA] {NOP ; JMP 0xffffffffea2d1238}
    .text kernel32.dll!FreeLibrary 75C7EF67 6 Bytes [90, E9, BB, F0, 2C, EA] {NOP ; JMP 0xffffffffea2cf0c1}
    .text kernel32.dll!DebugActiveProcess 75CB738C 10 Bytes [90, E9, 3E, D1, 29, EA, 90, ...] {NOP ; JMP 0xffffffffea29d144; NOP ; NOP ; NOP ; NOP }
    .text kernel32.dll!VirtualProtectEx 75CBFD51 6 Bytes [90, E9, 99, 3C, 29, EA] {NOP ; JMP 0xffffffffea293c9f}
    .text advapi32.dll!EnumDependentServicesW 75B91E3A 7 Bytes [90, E9, D8, 01, 3C, EA, 90] {NOP ; JMP 0xffffffffea3c01de; NOP }
    .text advapi32.dll!StartServiceW 75B97974 6 Bytes [90, E9, 62, 9A, 3B, EA] {NOP ; JMP 0xffffffffea3b9a68}
    .text advapi32.dll!QueryServiceStatusEx 75B9798C 6 Bytes [90, E9, 02, 9D, 3B, EA] {NOP ; JMP 0xffffffffea3b9d08}
    .text advapi32.dll!SetFileSecurityW 75B979C3 6 Bytes [90, E9, A3, B6, 3B, EA] {NOP ; JMP 0xffffffffea3bb6a9}
    .text advapi32.dll!SetSecurityInfo 75B99EDF 8 Bytes [90, E9, 9B, 95, 3B, EA, 90, ...] {NOP ; JMP 0xffffffffea3b95a1; NOP ; NOP }
    .text advapi32.dll!SetNamedSecurityInfoW 75B99FE2 8 Bytes [90, E9, 50, 97, 3B, EA, 90, ...] {NOP ; JMP 0xffffffffea3b9756; NOP ; NOP }
    .text advapi32.dll!EnumServicesStatusExW 75B9B466 7 Bytes [90, E9, 8C, 76, 3B, EA, 90] {NOP ; JMP 0xffffffffea3b7692; NOP }
    .text advapi32.dll!QueryServiceConfigW 75B9B537 6 Bytes [90, E9, 6B, 65, 3B, EA] {NOP ; JMP 0xffffffffea3b6571}
    .text advapi32.dll!CreateProcessAsUserW 75B9C592 6 Bytes [90, E9, 60, 21, 3B, EA] {NOP ; JMP 0xffffffffea3b2166}
    .text advapi32.dll!OpenServiceW 75B9CA4C 6 Bytes [90, E9, 76, 45, 3B, EA] {NOP ; JMP 0xffffffffea3b457c}
    .text advapi32.dll!OpenSCManagerW 75B9CA64 6 Bytes [90, E9, EE, 3F, 3B, EA] {NOP ; JMP 0xffffffffea3b3ff4}
    .text advapi32.dll!QueryServiceStatus 75BA2A86 6 Bytes [90, E9, AC, EA, 3A, EA] {NOP ; JMP 0xffffffffea3aeab2}
    .text advapi32.dll!OpenSCManagerA 75BA2BD8 6 Bytes [90, E9, 1E, DD, 3A, EA] {NOP ; JMP 0xffffffffea3add24}
    .text advapi32.dll!OpenServiceA 75BA2BF0 6 Bytes [90, E9, 76, E2, 3A, EA] {NOP ; JMP 0xffffffffea3ae27c}
    .text advapi32.dll!AdjustTokenPrivileges 75BA418E 6 Bytes [90, E9, 20, EC, 3A, EA] {NOP ; JMP 0xffffffffea3aec26}
    .text advapi32.dll!SetKernelObjectSecurity 75BA4645 6 Bytes [90, E9, 7D, EB, 3A, EA] {NOP ; JMP 0xffffffffea3aeb83}
    .text advapi32.dll!CreateServiceW 75BB712C 6 Bytes [90, E9, DE, 9B, 39, EA] {NOP ; JMP 0xffffffffea399be4}
    .text advapi32.dll!ControlService 75BB7144 6 Bytes [90, E9, A6, A6, 39, EA] {NOP ; JMP 0xffffffffea39a6ac}
    .text advapi32.dll!DeleteService 75BB715C 6 Bytes [90, E9, C2, 9F, 39, EA] {NOP ; JMP 0xffffffffea399fc8}
    .text advapi32.dll!QueryServiceConfigA 75BB9A4F 6 Bytes [90, E9, F7, 7E, 39, EA] {NOP ; JMP 0xffffffffea397efd}
    .text advapi32.dll!EnumServicesStatusExA 75BBA3E2 7 Bytes [90, E9, B4, 85, 39, EA, 90] {NOP ; JMP 0xffffffffea3985ba; NOP }
    .text advapi32.dll!CreateProcessAsUserA 75BD2538 7 Bytes [90, E9, 16, C3, 37, EA, 90] {NOP ; JMP 0xffffffffea37c31c; NOP }
    .text advapi32.dll!ChangeServiceConfig2A 75BD30C8 6 Bytes [90, E9, 5E, F3, 37, EA] {NOP ; JMP 0xffffffffea37f364}
    .text advapi32.dll!ChangeServiceConfig2W 75BD30D8 6 Bytes [90, E9, AA, F4, 37, EA] {NOP ; JMP 0xffffffffea37f4b0}
    .text advapi32.dll!ChangeServiceConfigA 75BD30E8 6 Bytes [90, E9, 86, F0, 37, EA] {NOP ; JMP 0xffffffffea37f08c}
    .text advapi32.dll!ChangeServiceConfigW 75BD30F8 6 Bytes [90, E9, D2, F1, 37, EA] {NOP ; JMP 0xffffffffea37f1d8}
    .text advapi32.dll!CreateServiceA 75BD3158 6 Bytes [90, E9, 56, DA, 37, EA] {NOP ; JMP 0xffffffffea37da5c}
    .text advapi32.dll!QueryServiceConfig2A 75BD33E9 6 Bytes [90, E9, 15, E8, 37, EA] {NOP ; JMP 0xffffffffea37e81b}
    .text advapi32.dll!QueryServiceConfig2W 75BD33F9 6 Bytes [90, E9, 61, E9, 37, EA] {NOP ; JMP 0xffffffffea37e967}
    .text advapi32.dll!SetServiceObjectSecurity 75BD3533 6 Bytes [90, E9, EB, FD, 37, EA] {NOP ; JMP 0xffffffffea37fdf1}
    .text advapi32.dll!StartServiceA 75BD3543 6 Bytes [90, E9, 37, DD, 37, EA] {NOP ; JMP 0xffffffffea37dd3d}
    .text advapi32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes [90, E9, AD, 92, 37, EA, 90, ...] {NOP ; JMP 0xffffffffea3792b3; NOP ; NOP }
    .text advapi32.dll!InitiateSystemShutdownW 75BEDA6D 8 Bytes [90, E9, 75, 6E, 36, EA, 90, ...] {NOP ; JMP 0xffffffffea366e7b; NOP ; NOP }
    .text advapi32.dll!InitiateSystemShutdownExW 75BEDB3A 8 Bytes [90, E9, 60, 70, 36, EA, 90, ...] {NOP ; JMP 0xffffffffea367066; NOP ; NOP }
    .text advapi32.dll!AbortSystemShutdownW 75BEDD60 6 Bytes [90, E9, F2, 70, 36, EA] {NOP ; JMP 0xffffffffea3670f8}
    .text advapi32.dll!EnumServicesStatusA 75BF2021 7 Bytes [90, E9, BD, 06, 36, EA, 90] {NOP ; JMP 0xffffffffea3606c3; NOP }
    .text advapi32.dll!EnumDependentServicesA 75BF2104 7 Bytes [90, E9, B2, FD, 35, EA, 90] {NOP ; JMP 0xffffffffea35fdb8; NOP }
    .text advapi32.dll!EnumServicesStatusW 75BF2221 7 Bytes [90, E9, 19, 06, 36, EA, 90] {NOP ; JMP 0xffffffffea36061f; NOP }
    ---- User code sections - GMER 1.0.15 ----
    .text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[892] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[892] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[892] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[892] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[976] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[976] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[976] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\System32\svchost.exe[1056] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\System32\svchost.exe[1092] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1132] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[1132] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1324] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 75C3204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 75C32082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW 75C75079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 5 Bytes JMP 5FF4E854 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1488] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
     
  2. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Continued 2....
    .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessW + 2 75C3204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!CreateProcessA + 2 75C32084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!LoadLibraryExW + 2 75C7507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateProcessAsUserA + 2 75BD253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1488] ADVAPI32.dll!CreateProcessWithLogonW + 2 75BD52EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1680] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1680] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1680] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1680] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[1680] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1680] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1852] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1852] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1852] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1852] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1852] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[1852] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[2280] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2280] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2280] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[2280] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[2280] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessW + 2 75C3204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessA + 2 75C32084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExW + 2 75C7507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!CreateProcessAsUserA + 2 75BD253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!CreateProcessWithLogonW + 2 75BD52EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2280] SHELL32.dll!SHCreateProcessAsUserW 766D6B50 8 Bytes JMP 5FF4E9AE C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\Explorer.EXE[2536] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 001F483D
    .text C:\Windows\system32\svchost.exe[2660] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2660] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2660] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[2660] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[2660] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateProcessW + 2 75C3204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] kernel32.dll!CreateProcessA + 2 75C32084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] kernel32.dll!LoadLibraryExW + 2 75C7507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!CreateProcessAsUserA + 2 75BD253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2660] ADVAPI32.dll!CreateProcessWithLogonW + 2 75BD52EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2892] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2892] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2892] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[2892] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[2892] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
    .text C:\Windows\system32\svchost.exe[2892] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!CreateProcessW + 2 75C3204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!CreateProcessA + 2 75C32084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!VirtualProtect + 2 75C72BCF 9 Bytes JMP 5FF53B4B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!LoadLibraryExW + 2 75C7507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!DebugActiveProcess + 2 75CB738E 8 Bytes JMP 5FF544CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] kernel32.dll!VirtualProtectEx + 2 75CBFD53 9 Bytes JMP 5FF539EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SetUserObjectSecurity + 2 75E32287 6 Bytes JMP 5FF53893 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!BroadcastSystemMessageExW + 2 75E34257 8 Bytes JMP 5FF504E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!BroadcastSystemMessageW + 2 75E37CBA 7 Bytes JMP 5FF5022B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!PostThreadMessageA + 2 75E3AD0B 8 Bytes JMP 5FF4F337 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendMessageA + 2 75E3AD62 7 Bytes JMP 5FF4EDC7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!PostMessageA + 2 75E3B448 6 Bytes JMP 5FF4F07F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendNotifyMessageW + 2 75E3C88C 6 Bytes JMP 5FF4FCBB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SetWindowsHookExW + 2 75E3E30E 8 Bytes JMP 5FF53E03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendMessageTimeoutW + 2 75E3E45B 8 Bytes JMP 5FF4FA03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!PostThreadMessageW + 2 75E3EEFE 6 Bytes JMP 5FF4F493 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendMessageCallbackW + 2 75E42F7D 8 Bytes JMP 5FF4F74B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!PostMessageW + 2 75E4447D 7 Bytes JMP 5FF4F1DB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendMessageW + 2 75E4553B 7 Bytes JMP 5FF4EF23 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendNotifyMessageA + 2 75E5493E 6 Bytes JMP 5FF4FB5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendDlgItemMessageW + 2 75E570DA 7 Bytes JMP 5FF4FF73 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendDlgItemMessageA + 2 75E57243 7 Bytes JMP 5FF4FE17 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!OpenClipboard + 2 75E64480 7 Bytes JMP 5FF4D95B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SetWindowsHookExA + 2 75E66D0E 8 Bytes JMP 5FF53CA7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendMessageTimeoutA + 2 75E66DAB 8 Bytes JMP 5FF4F8A7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SetWindowsHookA + 2 75E7B643 8 Bytes JMP 5FF53F5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SetWindowsHookW + 2 75E7B65E 8 Bytes JMP 5FF540BB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!EndTask + 2 75E7FD68 6 Bytes JMP 5FF4EC6B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!ExitWindowsEx + 2 75E806C9 6 Bytes JMP 5FF54FB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!BroadcastSystemMessageExA + 2 75E93B25 8 Bytes JMP 5FF50387 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!BroadcastSystemMessage + 2 75E93B4C 7 Bytes JMP 5FF500CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] USER32.dll!SendMessageCallbackA + 2 75E93E8D 8 Bytes JMP 5FF4F5EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ole32.dll!CoGetClassObject + 2 763654AF 8 Bytes JMP 5FF4D3EB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ole32.dll!CoInitializeEx + 2 763709AF 6 Bytes JMP 5FF4D133 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ole32.dll!CoCreateInstanceEx + 2 76379D50 7 Bytes JMP 5FF4D28F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ole32.dll!CoGetInstanceFromFile + 2 763F340D 8 Bytes JMP 5FF4D547 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ole32.dll!CoGetInstanceFromIStorage + 2 76410F09 8 Bytes JMP 5FF4D6A3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!EnumDependentServicesW 75B91E3A 12 Bytes JMP 5FF52015 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!StartServiceW 75B97974 5 Bytes JMP 5FF513DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!QueryServiceStatusEx 75B9798C 5 Bytes JMP 5FF51694 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!SetFileSecurityW 75B979C3 5 Bytes JMP 5FF5306C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!SetSecurityInfo + 2 75B99EE1 6 Bytes JMP 5FF5347F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!SetNamedSecurityInfoW + 2 75B99FE4 6 Bytes JMP 5FF53737 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!EnumServicesStatusExW 75B9B466 12 Bytes JMP 5FF52AF5 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!QueryServiceConfigW 75B9B537 5 Bytes JMP 5FF51AA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!OpenServiceW 75B9CA4C 5 Bytes JMP 5FF50FC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!OpenSCManagerW 75B9CA64 5 Bytes JMP 5FF50A58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!QueryServiceStatus 75BA2A86 5 Bytes JMP 5FF51538 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!OpenSCManagerA 75BA2BD8 5 Bytes JMP 5FF508FC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!OpenServiceA 75BA2BF0 5 Bytes JMP 5FF50E6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!AdjustTokenPrivileges 75BA418E 5 Bytes JMP 5FF52DB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!SetKernelObjectSecurity 75BA4645 5 Bytes JMP 5FF531C8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!CreateServiceW 75BB712C 5 Bytes JMP 5FF50D10 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!ControlService 75BB7144 5 Bytes JMP 5FF517F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!DeleteService 75BB715C 5 Bytes JMP 5FF51124 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!QueryServiceConfigA 75BB9A4F 5 Bytes JMP 5FF5194C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!EnumServicesStatusExA 75BBA3E2 12 Bytes JMP 5FF52999 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!CreateProcessAsUserA + 2 75BD253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!ChangeServiceConfig2A + 2 75BD30CA 9 Bytes JMP 5FF5242B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!ChangeServiceConfig2W + 2 75BD30DA 9 Bytes JMP 5FF52587 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!ChangeServiceConfigA + 2 75BD30EA 9 Bytes JMP 5FF52173 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!ChangeServiceConfigW + 2 75BD30FA 9 Bytes JMP 5FF522CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!CreateServiceA + 2 75BD315A 9 Bytes JMP 5FF50BB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!QueryServiceConfig2A + 2 75BD33EB 9 Bytes JMP 5FF51C03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!QueryServiceConfig2W + 2 75BD33FB 9 Bytes JMP 5FF51D5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!SetServiceObjectSecurity + 2 75BD3535 9 Bytes JMP 5FF53323 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!StartServiceA + 2 75BD3545 9 Bytes JMP 5FF5127F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!CreateProcessWithLogonW + 2 75BD52EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!InitiateSystemShutdownW + 2 75BEDA6F 6 Bytes JMP 5FF548E7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!InitiateSystemShutdownExW + 2 75BEDB3C 6 Bytes JMP 5FF54B9F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!AbortSystemShutdownW + 2 75BEDD62 7 Bytes JMP 5FF54E57 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!EnumServicesStatusA 75BF2021 12 Bytes JMP 5FF526E1 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!EnumDependentServicesA 75BF2104 12 Bytes JMP 5FF51EB9 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] ADVAPI32.dll!EnumServicesStatusW + 2 75BF2223 8 Bytes JMP 5FF5283F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] SHELL32.dll!SHCreateProcessAsUserW 766D6B50 8 Bytes JMP 5FF4E9AD C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[5208] svchost.exe 004D2104 11 Bytes CALL 004D1DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[5208] svchost.exe 004D2110 14 Bytes CALL 004D1D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[5208] svchost.exe 004D2120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\System32\svchost.exe[5208] svchost.exe 004D212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\System32\svchost.exe[5208] svchost.exe 004D213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...] {ADD [EBX], DH; TEST BYTE [ESI-0x5f], 0x68; PUSH EAX; DEC EBP}
    .text ...
     
  3. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Continued 3....
    .text C:\Windows\System32\svchost.exe[5208] kernel32.dll!CreateProcessInternalW 75C807A2 5 Bytes JMP 0002483D
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!CreateProcessW 75C3204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!CreateProcessA 75C32082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!VirtualProtect 75C72BCD 6 Bytes JMP 5FF53B4B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!LoadLibraryExW 75C75079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!GetProcAddress 75C7CC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!FreeLibrary 75C7EF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!DebugActiveProcess 75CB738C 10 Bytes JMP 5FF544CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] kernel32.dll!VirtualProtectEx 75CBFD51 6 Bytes JMP 5FF539EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!EnumDependentServicesW 75B91E3A 7 Bytes JMP 5FF52017 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!StartServiceW 75B97974 6 Bytes JMP 5FF513DB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!QueryServiceStatusEx 75B9798C 6 Bytes JMP 5FF51693 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!SetFileSecurityW 75B979C3 6 Bytes JMP 5FF5306B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!SetSecurityInfo 75B99EDF 8 Bytes JMP 5FF5347F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!SetNamedSecurityInfoW 75B99FE2 8 Bytes JMP 5FF53737 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!EnumServicesStatusExW 75B9B466 7 Bytes JMP 5FF52AF7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!QueryServiceConfigW 75B9B537 6 Bytes JMP 5FF51AA7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!OpenServiceW 75B9CA4C 6 Bytes JMP 5FF50FC7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!OpenSCManagerW 75B9CA64 6 Bytes JMP 5FF50A57 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!QueryServiceStatus 75BA2A86 6 Bytes JMP 5FF51537 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!OpenSCManagerA 75BA2BD8 6 Bytes JMP 5FF508FB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!OpenServiceA 75BA2BF0 6 Bytes JMP 5FF50E6B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!AdjustTokenPrivileges 75BA418E 6 Bytes JMP 5FF52DB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!SetKernelObjectSecurity 75BA4645 6 Bytes JMP 5FF531C7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!CreateServiceW 75BB712C 6 Bytes JMP 5FF50D0F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!ControlService 75BB7144 6 Bytes JMP 5FF517EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!DeleteService 75BB715C 6 Bytes JMP 5FF51123 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!QueryServiceConfigA 75BB9A4F 6 Bytes JMP 5FF5194B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!EnumServicesStatusExA 75BBA3E2 7 Bytes JMP 5FF5299B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!ChangeServiceConfig2A 75BD30C8 6 Bytes JMP 5FF5242B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!ChangeServiceConfig2W 75BD30D8 6 Bytes JMP 5FF52587 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!ChangeServiceConfigA 75BD30E8 6 Bytes JMP 5FF52173 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!ChangeServiceConfigW 75BD30F8 6 Bytes JMP 5FF522CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!CreateServiceA 75BD3158 6 Bytes JMP 5FF50BB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!QueryServiceConfig2A 75BD33E9 6 Bytes JMP 5FF51C03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!QueryServiceConfig2W 75BD33F9 6 Bytes JMP 5FF51D5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!SetServiceObjectSecurity 75BD3533 6 Bytes JMP 5FF53323 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!StartServiceA 75BD3543 6 Bytes JMP 5FF5127F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!InitiateSystemShutdownW 75BEDA6D 8 Bytes JMP 5FF548E7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!InitiateSystemShutdownExW 75BEDB3A 8 Bytes JMP 5FF54B9F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!AbortSystemShutdownW 75BEDD60 6 Bytes JMP 5FF54E57 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!EnumServicesStatusA 75BF2021 7 Bytes JMP 5FF526E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!EnumDependentServicesA 75BF2104 7 Bytes JMP 5FF51EBB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] ADVAPI32.dll!EnumServicesStatusW 75BF2221 7 Bytes JMP 5FF5283F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SetUserObjectSecurity 75E32285 8 Bytes JMP 5FF53893 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!BroadcastSystemMessageExW 75E34255 7 Bytes JMP 5FF504E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!BroadcastSystemMessageW 75E37CB8 7 Bytes JMP 5FF5022B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!PostThreadMessageA 75E3AD09 7 Bytes JMP 5FF4F337 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!PostThreadMessageA + 8 75E3AD11 2 Bytes [90, 90] {NOP ; NOP }
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendMessageA 75E3AD60 6 Bytes JMP 5FF4EDC7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!PostMessageA 75E3B446 6 Bytes JMP 5FF4F07F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendNotifyMessageW 75E3C88A 8 Bytes JMP 5FF4FCBB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SetWindowsHookExW 75E3E30C 7 Bytes JMP 5FF53E03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendMessageTimeoutW 75E3E459 7 Bytes JMP 5FF4FA03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!PostThreadMessageW 75E3EEFC 8 Bytes JMP 5FF4F493 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendMessageCallbackW 75E42F7B 6 Bytes JMP 5FF4F74B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!PostMessageW 75E4447B 6 Bytes JMP 5FF4F1DB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendMessageW 75E45539 6 Bytes JMP 5FF4EF23 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendNotifyMessageA 75E5493C 8 Bytes JMP 5FF4FB5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendDlgItemMessageW 75E570D8 9 Bytes JMP 5FF4FF73 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendDlgItemMessageA 75E57241 3 Bytes JMP 5FF4FE17 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendDlgItemMessageA + 4 75E57245 5 Bytes [0F, EA, 90, 90, 90]
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!OpenClipboard 75E6447E 6 Bytes JMP 5FF4D95B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SetWindowsHookExA 75E66D0C 7 Bytes JMP 5FF53CA7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendMessageTimeoutA 75E66DA9 7 Bytes JMP 5FF4F8A7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SetWindowsHookA 75E7B641 7 Bytes JMP 5FF53F5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SetWindowsHookW 75E7B65C 7 Bytes JMP 5FF540BB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!EndTask 75E7FD66 8 Bytes JMP 5FF4EC6B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!ExitWindowsEx 75E806C7 8 Bytes JMP 5FF54FB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!BroadcastSystemMessageExA 75E93B23 7 Bytes JMP 5FF50387 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!BroadcastSystemMessage 75E93B4A 7 Bytes JMP 5FF500CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[6932] USER32.dll!SendMessageCallbackA 75E93E8B 6 Bytes JMP 5FF4F5EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!CreateProcessW 75C3204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!CreateProcessA 75C32082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!VirtualProtect 75C72BCD 5 Bytes JMP 5FF53B4C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!LoadLibraryExW 75C75079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!GetProcAddress 75C7CC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!FreeLibrary 75C7EF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!DebugActiveProcess 75CB738C 5 Bytes JMP 5FF544D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] kernel32.dll!VirtualProtectEx 75CBFD51 5 Bytes JMP 5FF539F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SetUserObjectSecurity 75E32285 5 Bytes JMP 5FF53894 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!BroadcastSystemMessageExW 75E34255 5 Bytes JMP 5FF504E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!BroadcastSystemMessageW 75E37CB8 5 Bytes JMP 5FF5022C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!PostThreadMessageA 75E3AD09 5 Bytes JMP 5FF4F338 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendMessageA 75E3AD60 5 Bytes JMP 5FF4EDC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!PostMessageA 75E3B446 5 Bytes JMP 5FF4F080 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendNotifyMessageW 75E3C88A 5 Bytes JMP 5FF4FCBC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SetWindowsHookExW 75E3E30C 5 Bytes JMP 5FF53E04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendMessageTimeoutW 75E3E459 5 Bytes JMP 5FF4FA04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!PostThreadMessageW 75E3EEFC 5 Bytes JMP 5FF4F494 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendMessageCallbackW 75E42F7B 5 Bytes JMP 5FF4F74C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!PostMessageW 75E4447B 5 Bytes JMP 5FF4F1DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendMessageW 75E45539 5 Bytes JMP 5FF4EF24 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendNotifyMessageA 75E5493C 5 Bytes JMP 5FF4FB60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendDlgItemMessageW 75E570D8 5 Bytes JMP 5FF4FF74 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendDlgItemMessageA 75E57241 5 Bytes JMP 5FF4FE18 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!OpenClipboard 75E6447E 5 Bytes JMP 5FF4D95C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SetWindowsHookExA 75E66D0C 5 Bytes JMP 5FF53CA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendMessageTimeoutA 75E66DA9 5 Bytes JMP 5FF4F8A8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SetWindowsHookA 75E7B641 5 Bytes JMP 5FF53F60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SetWindowsHookW 75E7B65C 5 Bytes JMP 5FF540BC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!EndTask 75E7FD66 5 Bytes JMP 5FF4EC6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!ExitWindowsEx 75E806C7 5 Bytes JMP 5FF54FB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!BroadcastSystemMessageExA 75E93B23 5 Bytes JMP 5FF50388 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!BroadcastSystemMessage 75E93B4A 5 Bytes JMP 5FF500D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] USER32.dll!SendMessageCallbackA 75E93E8B 5 Bytes JMP 5FF4F5F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!EnumDependentServicesW 75B91E3A 7 Bytes JMP 5FF52018 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!StartServiceW 75B97974 5 Bytes JMP 5FF513DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!QueryServiceStatusEx 75B9798C 5 Bytes JMP 5FF51694 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!SetFileSecurityW 75B979C3 5 Bytes JMP 5FF5306C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!SetSecurityInfo 75B99EDF 5 Bytes JMP 5FF53480 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!SetNamedSecurityInfoW 75B99FE2 5 Bytes JMP 5FF53738 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!EnumServicesStatusExW 75B9B466 7 Bytes JMP 5FF52AF8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!QueryServiceConfigW 75B9B537 5 Bytes JMP 5FF51AA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!CreateProcessAsUserW 75B9C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!OpenServiceW 75B9CA4C 5 Bytes JMP 5FF50FC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!OpenSCManagerW 75B9CA64 5 Bytes JMP 5FF50A58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!QueryServiceStatus 75BA2A86 5 Bytes JMP 5FF51538 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!OpenSCManagerA 75BA2BD8 5 Bytes JMP 5FF508FC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!OpenServiceA 75BA2BF0 5 Bytes JMP 5FF50E6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!AdjustTokenPrivileges 75BA418E 5 Bytes JMP 5FF52DB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!SetKernelObjectSecurity 75BA4645 5 Bytes JMP 5FF531C8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!CreateServiceW 75BB712C 5 Bytes JMP 5FF50D10 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!ControlService 75BB7144 5 Bytes JMP 5FF517F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!DeleteService 75BB715C 5 Bytes JMP 5FF51124 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!QueryServiceConfigA 75BB9A4F 5 Bytes JMP 5FF5194C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!EnumServicesStatusExA 75BBA3E2 7 Bytes JMP 5FF5299C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!CreateProcessAsUserA 75BD2538 5 Bytes JMP 5FF4E854 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!ChangeServiceConfig2A 75BD30C8 5 Bytes JMP 5FF5242C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!ChangeServiceConfig2W 75BD30D8 5 Bytes JMP 5FF52588 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!ChangeServiceConfigA 75BD30E8 5 Bytes JMP 5FF52174 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!ChangeServiceConfigW 75BD30F8 5 Bytes JMP 5FF522D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!CreateServiceA 75BD3158 5 Bytes JMP 5FF50BB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!QueryServiceConfig2A 75BD33E9 5 Bytes JMP 5FF51C04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!QueryServiceConfig2W 75BD33F9 5 Bytes JMP 5FF51D60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!SetServiceObjectSecurity 75BD3533 5 Bytes JMP 5FF53324 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!StartServiceA 75BD3543 5 Bytes JMP 5FF51280 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!CreateProcessWithLogonW 75BD52E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!InitiateSystemShutdownW 75BEDA6D 5 Bytes JMP 5FF548E8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!InitiateSystemShutdownExW 75BEDB3A 5 Bytes JMP 5FF54BA0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!AbortSystemShutdownW 75BEDD60 5 Bytes JMP 5FF54E58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!EnumServicesStatusA 75BF2021 7 Bytes JMP 5FF526E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!EnumDependentServicesA 75BF2104 7 Bytes JMP 5FF51EBC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ADVAPI32.dll!EnumServicesStatusW 75BF2221 5 Bytes JMP 5FF52840 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ole32.dll!CoGetClassObject 763654AD 5 Bytes JMP 5FF4D3EC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ole32.dll!CoInitializeEx 763709AD 5 Bytes JMP 5FF4D134 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ole32.dll!CoCreateInstanceEx 76379D4E 5 Bytes JMP 5FF4D290 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ole32.dll!CoGetInstanceFromFile 763F340B 5 Bytes JMP 5FF4D548 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] ole32.dll!CoGetInstanceFromIStorage 76410F07 5 Bytes JMP 5FF4D6A4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\Explorer.EXE [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6D1F11EB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[2536] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [613464A2] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61346306] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61346344] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61346537] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateFileA] [61346622] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[4380] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateFileW] [6134657C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] @ C:\Windows\system32\ole32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[4884] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[8160] @ C:\Windows\system32\ole32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
     
  4. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Continued 4....
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy8 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy8 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy9 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy9 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy10 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy10 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy11 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy11 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy12 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy12 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy13 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy13 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy14 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy14 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy15 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy15 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy16 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy16 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy17 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy17 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    ---- EOF - GMER 1.0.15 ----
     
  5. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  6. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Malwarebytes Anti-Malware (Trial) 1.65.0.1400
    www.malwarebytes.org
    Database version: v2012.09.21.09
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    HP_Owner :: DESKTOP [administrator]
    Protection: Enabled
    9/21/2012 6:44:21 PM
    mbam-log-2012-09-21 (18-44-21).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 318323
    Time elapsed: 32 minute(s), 53 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    ************************************************************************************
     
  7. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-09-22 09:28:46
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3250318AS rev.CC38
    Running: i0netgj5.exe; Driver: C:\Users\HP_Owner\AppData\Local\Temp\fwtdapoc.sys

    ---- System - GMER 1.0.15 ----
    Code 8FB7ABFC ZwTraceEvent
    Code 8FB7ABFB NtTraceEvent
    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 830533C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8308CD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!NtTraceEvent 830DC63A 5 Bytes JMP 8FB7AC00
    .text kernel32.dll!CreateProcessW 766B204D 5 Bytes [E9, EE, C3, 89, E9] {JMP 0xffffffffe989c3f3}
    .text kernel32.dll!CreateProcessA 766B2082 5 Bytes [E9, 5D, C2, 89, E9] {JMP 0xffffffffe989c262}
    .text kernel32.dll!VirtualProtect 766F2BCD 5 Bytes [E9, 7A, 0F, 86, E9] {JMP 0xffffffffe9860f7f}
    .text kernel32.dll!LoadLibraryExW 766F5079 5 Bytes [E9, F2, 8C, 85, E9] {JMP 0xffffffffe9858cf7}
    .text kernel32.dll!GetProcAddress 766FCC94 5 Bytes [E9, 33, 12, 85, E9] {JMP 0xffffffffe9851238}
    .text kernel32.dll!FreeLibrary 766FEF67 5 Bytes [E9, BC, F0, 84, E9] {JMP 0xffffffffe984f0c1}
    .text kernel32.dll!DebugActiveProcess 7673738C 5 Bytes [E9, 3F, D1, 81, E9] {JMP 0xffffffffe981d144}
    .text kernel32.dll!VirtualProtectEx 7673FD51 5 Bytes [E9, 9A, 3C, 81, E9] {JMP 0xffffffffe9813c9f}
    .text ole32.dll!CoGetClassObject 765854AD 10 Bytes [90, E9, 39, 7F, 9C, E9, 90, ...] {NOP ; JMP 0xffffffffe99c7f3f; NOP ; NOP ; NOP ; NOP }
    .text ole32.dll!CoInitializeEx 765909AD 6 Bytes [90, E9, 81, C7, 9B, E9] {NOP ; JMP 0xffffffffe99bc787}
    .text ole32.dll!CoCreateInstanceEx 76599D4E 6 Bytes [90, E9, 3C, 35, 9B, E9] {NOP ; JMP 0xffffffffe99b3542}
    .text ole32.dll!CoGetInstanceFromFile 7661340B 10 Bytes [90, E9, 37, A1, 93, E9, 90, ...] {NOP ; JMP 0xffffffffe993a13d; NOP ; NOP ; NOP ; NOP }
    .text ole32.dll!CoGetInstanceFromIStorage 76630F07 10 Bytes [90, E9, 97, C7, 91, E9, 90, ...] {NOP ; JMP 0xffffffffe991c79d; NOP ; NOP ; NOP ; NOP }
    .text advapi32.dll!EnumDependentServicesW 76011E3A 7 Bytes [E9, D9, 01, F4, E9, 90, 90] {JMP 0xffffffffe9f401de; NOP ; NOP }
    .text advapi32.dll!StartServiceW 76017974 5 Bytes [E9, 63, 9A, F3, E9] {JMP 0xffffffffe9f39a68}
    .text advapi32.dll!QueryServiceStatusEx 7601798C 5 Bytes [E9, 03, 9D, F3, E9] {JMP 0xffffffffe9f39d08}
    .text advapi32.dll!SetFileSecurityW 760179C3 5 Bytes [E9, A4, B6, F3, E9] {JMP 0xffffffffe9f3b6a9}
    .text advapi32.dll!SetSecurityInfo 76019EDF 5 Bytes [E9, 9C, 95, F3, E9] {JMP 0xffffffffe9f395a1}
    .text advapi32.dll!SetNamedSecurityInfoW 76019FE2 5 Bytes [E9, 51, 97, F3, E9] {JMP 0xffffffffe9f39756}
    .text advapi32.dll!EnumServicesStatusExW 7601B466 7 Bytes [E9, 8D, 76, F3, E9, 90, 90] {JMP 0xffffffffe9f37692; NOP ; NOP }
    .text advapi32.dll!QueryServiceConfigW 7601B537 5 Bytes [E9, 6C, 65, F3, E9] {JMP 0xffffffffe9f36571}
    .text advapi32.dll!CreateProcessAsUserW 7601C592 5 Bytes [E9, 61, 21, F3, E9] {JMP 0xffffffffe9f32166}
    .text advapi32.dll!OpenServiceW 7601CA4C 5 Bytes [E9, 77, 45, F3, E9] {JMP 0xffffffffe9f3457c}
    .text advapi32.dll!OpenSCManagerW 7601CA64 5 Bytes [E9, EF, 3F, F3, E9] {JMP 0xffffffffe9f33ff4}
    .text advapi32.dll!QueryServiceStatus 76022A86 5 Bytes [E9, AD, EA, F2, E9] {JMP 0xffffffffe9f2eab2}
    .text advapi32.dll!OpenSCManagerA 76022BD8 5 Bytes [E9, 1F, DD, F2, E9] {JMP 0xffffffffe9f2dd24}
    .text advapi32.dll!OpenServiceA 76022BF0 5 Bytes [E9, 77, E2, F2, E9] {JMP 0xffffffffe9f2e27c}
    .text advapi32.dll!AdjustTokenPrivileges 7602418E 5 Bytes [E9, 21, EC, F2, E9] {JMP 0xffffffffe9f2ec26}
    .text advapi32.dll!SetKernelObjectSecurity 76024645 5 Bytes [E9, 7E, EB, F2, E9] {JMP 0xffffffffe9f2eb83}
    .text advapi32.dll!CreateServiceW 7603712C 5 Bytes [E9, DF, 9B, F1, E9] {JMP 0xffffffffe9f19be4}
    .text advapi32.dll!ControlService 76037144 5 Bytes [E9, A7, A6, F1, E9] {JMP 0xffffffffe9f1a6ac}
    .text advapi32.dll!DeleteService 7603715C 5 Bytes [E9, C3, 9F, F1, E9] {JMP 0xffffffffe9f19fc8}
    .text advapi32.dll!QueryServiceConfigA 76039A4F 5 Bytes [E9, F8, 7E, F1, E9] {JMP 0xffffffffe9f17efd}
    .text advapi32.dll!EnumServicesStatusExA 7603A3E2 7 Bytes [E9, B5, 85, F1, E9, 90, 90] {JMP 0xffffffffe9f185ba; NOP ; NOP }
    .text advapi32.dll!CreateProcessAsUserA 76052538 5 Bytes [E9, 17, C3, EF, E9] {JMP 0xffffffffe9efc31c}
    .text advapi32.dll!ChangeServiceConfig2A 760530C8 5 Bytes [E9, 5F, F3, EF, E9] {JMP 0xffffffffe9eff364}
    .text advapi32.dll!ChangeServiceConfig2W 760530D8 5 Bytes [E9, AB, F4, EF, E9] {JMP 0xffffffffe9eff4b0}
    .text advapi32.dll!ChangeServiceConfigA 760530E8 5 Bytes [E9, 87, F0, EF, E9] {JMP 0xffffffffe9eff08c}
    .text advapi32.dll!ChangeServiceConfigW 760530F8 5 Bytes [E9, D3, F1, EF, E9] {JMP 0xffffffffe9eff1d8}
    .text advapi32.dll!CreateServiceA 76053158 5 Bytes [E9, 57, DA, EF, E9] {JMP 0xffffffffe9efda5c}
    .text advapi32.dll!QueryServiceConfig2A 760533E9 5 Bytes [E9, 16, E8, EF, E9] {JMP 0xffffffffe9efe81b}
    .text advapi32.dll!QueryServiceConfig2W 760533F9 5 Bytes [E9, 62, E9, EF, E9] {JMP 0xffffffffe9efe967}
    .text advapi32.dll!SetServiceObjectSecurity 76053533 5 Bytes [E9, EC, FD, EF, E9] {JMP 0xffffffffe9effdf1}
    .text advapi32.dll!StartServiceA 76053543 5 Bytes [E9, 38, DD, EF, E9] {JMP 0xffffffffe9efdd3d}
    .text advapi32.dll!CreateProcessWithLogonW 760552E9 5 Bytes [E9, AE, 92, EF, E9] {JMP 0xffffffffe9ef92b3}
    .text advapi32.dll!InitiateSystemShutdownW 7606DA6D 5 Bytes [E9, 76, 6E, EE, E9] {JMP 0xffffffffe9ee6e7b}
    .text advapi32.dll!InitiateSystemShutdownExW 7606DB3A 5 Bytes [E9, 61, 70, EE, E9] {JMP 0xffffffffe9ee7066}
    .text advapi32.dll!AbortSystemShutdownW 7606DD60 5 Bytes [E9, F3, 70, EE, E9] {JMP 0xffffffffe9ee70f8}
    .text advapi32.dll!EnumServicesStatusA 76072021 7 Bytes [E9, BE, 06, EE, E9, 90, 90] {JMP 0xffffffffe9ee06c3; NOP ; NOP }
    .text advapi32.dll!EnumDependentServicesA 76072104 7 Bytes [E9, B3, FD, ED, E9, 90, 90] {JMP 0xffffffffe9edfdb8; NOP ; NOP }
    .text advapi32.dll!EnumServicesStatusW 76072221 5 Bytes [E9, 1A, 06, EE, E9] {JMP 0xffffffffe9ee061f}
    .text user32.dll!SetUserObjectSecurity 75F32285 8 Bytes [90, E9, 09, 16, 02, EA, 90, ...] {NOP ; JMP 0xffffffffea02160f; NOP ; NOP }
    .text user32.dll!BroadcastSystemMessageExW 75F34255 5 Bytes [E9, 8A, C2, 01, EA] {JMP 0xffffffffea01c28f}
    .text user32.dll!BroadcastSystemMessageW 75F37CB8 5 Bytes [E9, 6F, 85, 01, EA] {JMP 0xffffffffea018574}
    .text user32.dll!PostThreadMessageA 75F3AD09 5 Bytes [E9, 2A, 46, 01, EA] {JMP 0xffffffffea01462f}
    .text user32.dll!SendMessageA 75F3AD60 5 Bytes [E9, 63, 40, 01, EA] {JMP 0xffffffffea014068}
    .text user32.dll!PostMessageA 75F3B446 5 Bytes [E9, 35, 3C, 01, EA] {JMP 0xffffffffea013c3a}
    .text user32.dll!SendNotifyMessageW 75F3C88A 8 Bytes [90, E9, 2C, 34, 01, EA, 90, ...] {NOP ; JMP 0xffffffffea013432; NOP ; NOP }
    .text user32.dll!SetWindowsHookExW 75F3E30C 7 Bytes [90, E9, F2, 5A, 01, EA, 90] {NOP ; JMP 0xffffffffea015af8; NOP }
    .text user32.dll!SendMessageTimeoutW 75F3E459 7 Bytes [90, E9, A5, 15, 01, EA, 90] {NOP ; JMP 0xffffffffea0115ab; NOP }
    .text user32.dll!PostThreadMessageW 75F3EEFC 5 Bytes [E9, 93, 05, 01, EA] {JMP 0xffffffffea010598}
    .text user32.dll!SendMessageCallbackW 75F42F7B 5 Bytes [E9, CC, C7, 00, EA] {JMP 0xffffffffea00c7d1}
    .text user32.dll!PostMessageW 75F4447B 5 Bytes [E9, 5C, AD, 00, EA] {JMP 0xffffffffea00ad61}
    .text user32.dll!SendMessageW 75F45539 6 Bytes [90, E9, E5, 99, 00, EA] {NOP ; JMP 0xffffffffea0099eb}
    .text user32.dll!SendNotifyMessageA 75F5493C 8 Bytes [90, E9, 1E, B2, FF, E9, 90, ...] {NOP ; JMP 0xffffffffe9ffb224; NOP ; NOP }
    .text user32.dll!SendDlgItemMessageW 75F570D8 5 Bytes [E9, 97, 8E, FF, E9] {JMP 0xffffffffe9ff8e9c}
    .text user32.dll!SendDlgItemMessageA 75F57241 5 Bytes [E9, D2, 8B, FF, E9] {JMP 0xffffffffe9ff8bd7}
    .text user32.dll!OpenClipboard 75F6447E 5 Bytes [E9, D9, 94, FE, E9] {JMP 0xffffffffe9fe94de}
    .text user32.dll!SetWindowsHookExA 75F66D0C 7 Bytes [90, E9, 96, CF, FE, E9, 90] {NOP ; JMP 0xffffffffe9fecf9c; NOP }
    .text user32.dll!SendMessageTimeoutA 75F66DA9 7 Bytes [90, E9, F9, 8A, FE, E9, 90] {NOP ; JMP 0xffffffffe9fe8aff; NOP }
    .text user32.dll!SetWindowsHookA 75F7B641 7 Bytes [90, E9, 19, 89, FD, E9, 90] {NOP ; JMP 0xffffffffe9fd891f; NOP }
    .text user32.dll!SetWindowsHookW 75F7B65C 7 Bytes [90, E9, 5A, 8A, FD, E9, 90] {NOP ; JMP 0xffffffffe9fd8a60; NOP }
    .text user32.dll!EndTask 75F7FD66 5 Bytes [E9, 01, EF, FC, E9] {JMP 0xffffffffe9fcef06}
    .text user32.dll!ExitWindowsEx 75F806C7 5 Bytes [E9, E8, 48, FD, E9] {JMP 0xffffffffe9fd48ed}
    .text user32.dll!BroadcastSystemMessageExA 75F93B23 5 Bytes [E9, 60, C8, FB, E9] {JMP 0xffffffffe9fbc865}
    .text user32.dll!BroadcastSystemMessage 75F93B4A 5 Bytes [E9, 81, C5, FB, E9] {JMP 0xffffffffe9fbc586}
    .text user32.dll!SendMessageCallbackA 75F93E8B 5 Bytes [E9, 60, B7, FB, E9] {JMP 0xffffffffe9fbb765}
    .text shell32.dll!SHCreateProcessAsUserW 75526B50 8 Bytes [90, E9, 5A, 7E, A2, EA, 90, ...] {NOP ; JMP 0xffffffffeaa27e60; NOP ; NOP }
    ---- User code sections - GMER 1.0.15 ----
     
  8. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    ****** continued 2 ******
    ---- User code sections - GMER 1.0.15 ----
    .text C:\Windows\system32\svchost.exe[884] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[884] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[884] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[884] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[884] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[884] kernel32.dll!CreateProcessInternalW 767007A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[960] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[960] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[960] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[960] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[960] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessW + 2 766B204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessA + 2 766B2084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW + 2 766F507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!CreateProcessAsUserA + 2 7605253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!CreateProcessWithLogonW + 2 760552EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1016] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1016] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\System32\svchost.exe[1016] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\System32\svchost.exe[1016] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateProcessW + 2 766B204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] kernel32.dll!CreateProcessA + 2 766B2084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW + 2 766F507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!CreateProcessAsUserA + 2 7605253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1016] ADVAPI32.dll!CreateProcessWithLogonW + 2 760552EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\System32\svchost.exe[1076] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1076] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\System32\svchost.exe[1076] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\System32\svchost.exe[1076] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\System32\svchost.exe[1076] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateProcessInternalW 767007A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[1124] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1124] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1124] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1124] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1124] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[1124] kernel32.dll!CreateProcessInternalW 767007A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[1272] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1272] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1272] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1272] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1272] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 766B204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 766B2082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 766F5079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 766FCC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] kernel32.dll!FreeLibrary 766FEF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateProcessAsUserW 7601C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateProcessAsUserA 76052538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1272] ADVAPI32.dll!CreateProcessWithLogonW 760552E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1460] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1460] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1460] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1460] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[1460] kernel32.dll!CreateProcessW 766B204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] kernel32.dll!CreateProcessA 766B2082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] kernel32.dll!LoadLibraryExW 766F5079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] ADVAPI32.dll!CreateProcessAsUserA 76052538 5 Bytes JMP 5FF4E854 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1460] ADVAPI32.dll!CreateProcessWithLogonW 760552E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1640] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1640] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1640] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1640] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateProcessW 766B204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!CreateProcessA 766B2082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExW 766F5079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!GetProcAddress 766FCC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] kernel32.dll!FreeLibrary 766FEF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!CreateProcessAsUserW 7601C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!CreateProcessAsUserA 76052538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1640] ADVAPI32.dll!CreateProcessWithLogonW 760552E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[1804] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1804] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[1804] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[1804] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[1804] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!CreateProcessInternalW 767007A2 5 Bytes JMP 0002483D
    .text C:\Windows\system32\svchost.exe[2076] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2076] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2076] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[2076] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[2076] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[2076] kernel32.dll!CreateProcessW 766B204D 7 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] kernel32.dll!CreateProcessA 766B2082 7 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] kernel32.dll!LoadLibraryExW 766F5079 6 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] kernel32.dll!GetProcAddress 766FCC94 6 Bytes JMP 5FF4DECB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] kernel32.dll!FreeLibrary 766FEF67 6 Bytes JMP 5FF4E027 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] ADVAPI32.dll!CreateProcessAsUserW 7601C592 6 Bytes JMP 5FF4E6F7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] ADVAPI32.dll!CreateProcessAsUserA 76052538 7 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] ADVAPI32.dll!CreateProcessWithLogonW 760552E9 8 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2076] SHELL32.dll!SHCreateProcessAsUserW 75526B50 8 Bytes JMP 5FF4E9AF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2492] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2492] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[2492] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[2492] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
    .text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateProcessW + 2 766B204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] kernel32.dll!CreateProcessA + 2 766B2084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] kernel32.dll!LoadLibraryExW + 2 766F507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!CreateProcessAsUserA + 2 7605253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2492] ADVAPI32.dll!CreateProcessWithLogonW + 2 760552EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Windows\system32\svchost.exe[2992] svchost.exe 00E32104 11 Bytes CALL 00E31DDC C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2992] svchost.exe 00E32110 14 Bytes CALL 00E31D8A C:\Windows\system32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
    .text C:\Windows\system32\svchost.exe[2992] svchost.exe 00E32120 10 Bytes [8B, 70, 04, 89, 5D, E4, BF, ...]
    .text C:\Windows\system32\svchost.exe[2992] svchost.exe 00E3212B 15 Bytes [53, 56, 57, FF, 15, 70, 10, ...]
    .text C:\Windows\system32\svchost.exe[2992] svchost.exe 00E3213B 8 Bytes [00, 33, F6, 46, A1, 68, 50, ...]
    .text ...
     
  9. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    ****** continued 3 ******
    .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateProcessInternalW 767007A2 5 Bytes JMP 0002483D
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!CreateProcessW + 2 766B204F 8 Bytes JMP 5FF4E43F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!CreateProcessA + 2 766B2084 8 Bytes JMP 5FF4E2E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!VirtualProtect + 2 766F2BCF 9 Bytes JMP 5FF53B4B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!LoadLibraryExW + 2 766F507B 9 Bytes JMP 5FF4DD6F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!DebugActiveProcess + 2 7673738E 8 Bytes JMP 5FF544CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] kernel32.dll!VirtualProtectEx + 2 7673FD53 9 Bytes JMP 5FF539EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SetUserObjectSecurity + 2 75F32287 6 Bytes JMP 5FF53893 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!BroadcastSystemMessageExW + 2 75F34257 8 Bytes JMP 5FF504E3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!BroadcastSystemMessageW + 2 75F37CBA 7 Bytes JMP 5FF5022B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!PostThreadMessageA + 2 75F3AD0B 8 Bytes JMP 5FF4F337 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendMessageA + 2 75F3AD62 7 Bytes JMP 5FF4EDC7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!PostMessageA + 2 75F3B448 6 Bytes JMP 5FF4F07F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendNotifyMessageW + 2 75F3C88C 6 Bytes JMP 5FF4FCBB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SetWindowsHookExW + 2 75F3E30E 8 Bytes JMP 5FF53E03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendMessageTimeoutW + 2 75F3E45B 8 Bytes JMP 5FF4FA03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!PostThreadMessageW + 2 75F3EEFE 6 Bytes JMP 5FF4F493 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendMessageCallbackW + 2 75F42F7D 8 Bytes JMP 5FF4F74B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!PostMessageW + 2 75F4447D 7 Bytes JMP 5FF4F1DB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendMessageW + 2 75F4553B 7 Bytes JMP 5FF4EF23 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendNotifyMessageA + 2 75F5493E 6 Bytes JMP 5FF4FB5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendDlgItemMessageW + 2 75F570DA 7 Bytes JMP 5FF4FF73 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendDlgItemMessageA + 2 75F57243 7 Bytes JMP 5FF4FE17 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!OpenClipboard + 2 75F64480 7 Bytes JMP 5FF4D95B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SetWindowsHookExA + 2 75F66D0E 8 Bytes JMP 5FF53CA7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendMessageTimeoutA + 2 75F66DAB 8 Bytes JMP 5FF4F8A7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SetWindowsHookA + 2 75F7B643 8 Bytes JMP 5FF53F5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SetWindowsHookW + 2 75F7B65E 8 Bytes JMP 5FF540BB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!EndTask + 2 75F7FD68 6 Bytes JMP 5FF4EC6B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!ExitWindowsEx + 2 75F806C9 6 Bytes JMP 5FF54FB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!BroadcastSystemMessageExA + 2 75F93B25 8 Bytes JMP 5FF50387 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!BroadcastSystemMessage + 2 75F93B4C 7 Bytes JMP 5FF500CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] USER32.dll!SendMessageCallbackA + 2 75F93E8D 8 Bytes JMP 5FF4F5EF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ole32.dll!CoGetClassObject + 2 765854AF 8 Bytes JMP 5FF4D3EB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ole32.dll!CoInitializeEx + 2 765909AF 6 Bytes JMP 5FF4D133 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ole32.dll!CoCreateInstanceEx + 2 76599D50 7 Bytes JMP 5FF4D28F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ole32.dll!CoGetInstanceFromFile + 2 7661340D 8 Bytes JMP 5FF4D547 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ole32.dll!CoGetInstanceFromIStorage + 2 76630F09 8 Bytes JMP 5FF4D6A3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumDependentServicesW 76011E3A 5 Bytes [8B, FF, 90, E9, D6]
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumDependentServicesW + 6 76011E40 6 Bytes JMP 0691AED5
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!StartServiceW 76017974 5 Bytes JMP 5FF513DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!QueryServiceStatusEx 7601798C 5 Bytes JMP 5FF51694 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!SetFileSecurityW 760179C3 5 Bytes JMP 5FF5306C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!SetSecurityInfo + 2 76019EE1 6 Bytes JMP 5FF5347F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!SetNamedSecurityInfoW + 2 76019FE4 6 Bytes JMP 5FF53737 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumServicesStatusExW 7601B466 12 Bytes JMP 5FF52AF5 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!QueryServiceConfigW 7601B537 5 Bytes JMP 5FF51AA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!OpenServiceW 7601CA4C 5 Bytes JMP 5FF50FC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!OpenSCManagerW 7601CA64 5 Bytes JMP 5FF50A58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!QueryServiceStatus 76022A86 5 Bytes JMP 5FF51538 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!OpenSCManagerA 76022BD8 5 Bytes JMP 5FF508FC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!OpenServiceA 76022BF0 5 Bytes JMP 5FF50E6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!AdjustTokenPrivileges 7602418E 5 Bytes JMP 5FF52DB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!SetKernelObjectSecurity 76024645 5 Bytes JMP 5FF531C8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!CreateServiceW 7603712C 5 Bytes JMP 5FF50D10 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!ControlService 76037144 5 Bytes JMP 5FF517F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!DeleteService 7603715C 5 Bytes JMP 5FF51124 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!QueryServiceConfigA 76039A4F 5 Bytes JMP 5FF5194C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumServicesStatusExA 7603A3E2 12 Bytes JMP 5FF52999 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!CreateProcessAsUserA + 2 7605253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!ChangeServiceConfig2A + 2 760530CA 9 Bytes JMP 5FF5242B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!ChangeServiceConfig2W + 2 760530DA 9 Bytes JMP 5FF52587 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!ChangeServiceConfigA + 2 760530EA 9 Bytes JMP 5FF52173 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!ChangeServiceConfigW + 2 760530FA 9 Bytes JMP 5FF522CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!CreateServiceA + 2 7605315A 9 Bytes JMP 5FF50BB3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!QueryServiceConfig2A + 2 760533EB 9 Bytes JMP 5FF51C03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!QueryServiceConfig2W + 2 760533FB 9 Bytes JMP 5FF51D5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!SetServiceObjectSecurity + 2 76053535 9 Bytes JMP 5FF53323 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!StartServiceA + 2 76053545 9 Bytes JMP 5FF5127F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!CreateProcessWithLogonW + 2 760552EB 6 Bytes JMP 5FF4E59B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!InitiateSystemShutdownW + 2 7606DA6F 6 Bytes JMP 5FF548E7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!InitiateSystemShutdownExW + 2 7606DB3C 6 Bytes JMP 5FF54B9F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!AbortSystemShutdownW + 2 7606DD62 7 Bytes JMP 5FF54E57 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumServicesStatusA 76072021 12 Bytes JMP 5FF526E1 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumDependentServicesA 76072104 12 Bytes JMP 5FF51EB9 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] ADVAPI32.dll!EnumServicesStatusW + 2 76072223 8 Bytes JMP 5FF5283F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] SHELL32.dll!SHCreateProcessAsUserW 75526B50 8 Bytes JMP 5FF4E9AD C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
     
  10. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    ****** continued 4 ******
    .text C:\Windows\Explorer.EXE[3880] kernel32.dll!CreateProcessInternalW 767007A2 5 Bytes JMP 0017483D
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!CreateProcessW 766B204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!CreateProcessA 766B2082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!VirtualProtect 766F2BCD 5 Bytes JMP 5FF53B4C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!LoadLibraryExW 766F5079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!DebugActiveProcess 7673738C 5 Bytes JMP 5FF544D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] kernel32.dll!VirtualProtectEx 7673FD51 5 Bytes JMP 5FF539F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!EnumDependentServicesW 76011E3A 7 Bytes JMP 5FF52018 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!StartServiceW 76017974 5 Bytes JMP 5FF513DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!QueryServiceStatusEx 7601798C 5 Bytes JMP 5FF51694 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!SetFileSecurityW 760179C3 5 Bytes JMP 5FF5306C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!SetSecurityInfo 76019EDF 5 Bytes JMP 5FF53480 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!SetNamedSecurityInfoW 76019FE2 5 Bytes JMP 5FF53738 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!EnumServicesStatusExW 7601B466 7 Bytes JMP 5FF52AF8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!QueryServiceConfigW 7601B537 5 Bytes JMP 5FF51AA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!OpenServiceW 7601CA4C 5 Bytes JMP 5FF50FC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!OpenSCManagerW 7601CA64 5 Bytes JMP 5FF50A58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!QueryServiceStatus 76022A86 5 Bytes JMP 5FF51538 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!OpenSCManagerA 76022BD8 5 Bytes JMP 5FF508FC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!OpenServiceA 76022BF0 5 Bytes JMP 5FF50E6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!AdjustTokenPrivileges 7602418E 5 Bytes JMP 5FF52DB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!SetKernelObjectSecurity 76024645 5 Bytes JMP 5FF531C8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!CreateServiceW 7603712C 5 Bytes JMP 5FF50D10 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!ControlService 76037144 5 Bytes JMP 5FF517F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!DeleteService 7603715C 5 Bytes JMP 5FF51124 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!QueryServiceConfigA 76039A4F 5 Bytes JMP 5FF5194C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!EnumServicesStatusExA 7603A3E2 7 Bytes JMP 5FF5299C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!CreateProcessAsUserA 76052538 5 Bytes JMP 5FF4E854 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!ChangeServiceConfig2A 760530C8 5 Bytes JMP 5FF5242C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!ChangeServiceConfig2W 760530D8 5 Bytes JMP 5FF52588 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!ChangeServiceConfigA 760530E8 5 Bytes JMP 5FF52174 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!ChangeServiceConfigW 760530F8 5 Bytes JMP 5FF522D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!CreateServiceA 76053158 5 Bytes JMP 5FF50BB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!QueryServiceConfig2A 760533E9 5 Bytes JMP 5FF51C04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!QueryServiceConfig2W 760533F9 5 Bytes JMP 5FF51D60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!SetServiceObjectSecurity 76053533 5 Bytes JMP 5FF53324 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!StartServiceA 76053543 5 Bytes JMP 5FF51280 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!CreateProcessWithLogonW 760552E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!InitiateSystemShutdownW 7606DA6D 5 Bytes JMP 5FF548E8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!InitiateSystemShutdownExW 7606DB3A 5 Bytes JMP 5FF54BA0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!AbortSystemShutdownW 7606DD60 5 Bytes JMP 5FF54E58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!EnumServicesStatusA 76072021 7 Bytes JMP 5FF526E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!EnumDependentServicesA 76072104 7 Bytes JMP 5FF51EBC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ADVAPI32.dll!EnumServicesStatusW 76072221 5 Bytes JMP 5FF52840 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SetUserObjectSecurity 75F32285 8 Bytes JMP 5FF53893 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!BroadcastSystemMessageExW 75F34255 5 Bytes JMP 5FF504E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!BroadcastSystemMessageW 75F37CB8 5 Bytes JMP 5FF5022C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!PostThreadMessageA 75F3AD09 5 Bytes JMP 5FF4F338 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendMessageA 75F3AD60 5 Bytes JMP 5FF4EDC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!PostMessageA 75F3B446 5 Bytes JMP 5FF4F080 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendNotifyMessageW 75F3C88A 8 Bytes JMP 5FF4FCBB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SetWindowsHookExW 75F3E30C 7 Bytes JMP 5FF53E03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendMessageTimeoutW 75F3E459 7 Bytes JMP 5FF4FA03 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!PostThreadMessageW 75F3EEFC 5 Bytes JMP 5FF4F494 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendMessageCallbackW 75F42F7B 5 Bytes JMP 5FF4F74C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!PostMessageW 75F4447B 5 Bytes JMP 5FF4F1DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendMessageW 75F45539 6 Bytes JMP 5FF4EF23 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendNotifyMessageA 75F5493C 8 Bytes JMP 5FF4FB5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendDlgItemMessageW 75F570D8 5 Bytes JMP 5FF4FF74 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendDlgItemMessageA 75F57241 5 Bytes JMP 5FF4FE18 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!OpenClipboard 75F6447E 5 Bytes JMP 5FF4D95C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SetWindowsHookExA 75F66D0C 7 Bytes JMP 5FF53CA7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendMessageTimeoutA 75F66DA9 7 Bytes JMP 5FF4F8A7 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SetWindowsHookA 75F7B641 7 Bytes JMP 5FF53F5F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SetWindowsHookW 75F7B65C 7 Bytes JMP 5FF540BB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!EndTask 75F7FD66 5 Bytes JMP 5FF4EC6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!ExitWindowsEx 75F806C7 5 Bytes JMP 5FF54FB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!BroadcastSystemMessageExA 75F93B23 5 Bytes JMP 5FF50388 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!BroadcastSystemMessage 75F93B4A 5 Bytes JMP 5FF500D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] USER32.dll!SendMessageCallbackA 75F93E8B 5 Bytes JMP 5FF4F5F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ole32.dll!CoGetClassObject 765854AD 10 Bytes JMP 5FF4D3EB C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ole32.dll!CoInitializeEx 765909AD 6 Bytes JMP 5FF4D133 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ole32.dll!CoCreateInstanceEx 76599D4E 6 Bytes JMP 5FF4D28F C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ole32.dll!CoGetInstanceFromFile 7661340B 10 Bytes JMP 5FF4D547 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] ole32.dll!CoGetInstanceFromIStorage 76630F07 10 Bytes JMP 5FF4D6A3 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] SHELL32.dll!SHCreateProcessAsUserW 75526B50 8 Bytes JMP 5FF4E9AF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!CreateProcessW 766B204D 5 Bytes JMP 5FF4E440 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!CreateProcessA 766B2082 5 Bytes JMP 5FF4E2E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!VirtualProtect 766F2BCD 5 Bytes JMP 5FF53B4C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!LoadLibraryExW 766F5079 5 Bytes JMP 5FF4DD70 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!GetProcAddress 766FCC94 5 Bytes JMP 5FF4DECC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!FreeLibrary 766FEF67 5 Bytes JMP 5FF4E028 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!DebugActiveProcess 7673738C 5 Bytes JMP 5FF544D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] kernel32.dll!VirtualProtectEx 7673FD51 5 Bytes JMP 5FF539F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SetUserObjectSecurity 75F32285 5 Bytes JMP 5FF53894 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!BroadcastSystemMessageExW 75F34255 5 Bytes JMP 5FF504E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!BroadcastSystemMessageW 75F37CB8 5 Bytes JMP 5FF5022C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!PostThreadMessageA 75F3AD09 5 Bytes JMP 5FF4F338 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendMessageA 75F3AD60 5 Bytes JMP 5FF4EDC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!PostMessageA 75F3B446 5 Bytes JMP 5FF4F080 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendNotifyMessageW 75F3C88A 5 Bytes JMP 5FF4FCBC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SetWindowsHookExW 75F3E30C 5 Bytes JMP 5FF53E04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendMessageTimeoutW 75F3E459 5 Bytes JMP 5FF4FA04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!PostThreadMessageW 75F3EEFC 5 Bytes JMP 5FF4F494 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendMessageCallbackW 75F42F7B 5 Bytes JMP 5FF4F74C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!PostMessageW 75F4447B 5 Bytes JMP 5FF4F1DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendMessageW 75F45539 5 Bytes JMP 5FF4EF24 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendNotifyMessageA 75F5493C 5 Bytes JMP 5FF4FB60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendDlgItemMessageW 75F570D8 5 Bytes JMP 5FF4FF74 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendDlgItemMessageA 75F57241 5 Bytes JMP 5FF4FE18 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!OpenClipboard 75F6447E 5 Bytes JMP 5FF4D95C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SetWindowsHookExA 75F66D0C 5 Bytes JMP 5FF53CA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendMessageTimeoutA 75F66DA9 5 Bytes JMP 5FF4F8A8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SetWindowsHookA 75F7B641 5 Bytes JMP 5FF53F60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SetWindowsHookW 75F7B65C 5 Bytes JMP 5FF540BC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!EndTask 75F7FD66 5 Bytes JMP 5FF4EC6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!ExitWindowsEx 75F806C7 5 Bytes JMP 5FF54FB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!BroadcastSystemMessageExA 75F93B23 5 Bytes JMP 5FF50388 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!BroadcastSystemMessage 75F93B4A 5 Bytes JMP 5FF500D0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] USER32.dll!SendMessageCallbackA 75F93E8B 5 Bytes JMP 5FF4F5F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!EnumDependentServicesW 76011E3A 7 Bytes JMP 5FF52018 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!StartServiceW 76017974 5 Bytes JMP 5FF513DC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!QueryServiceStatusEx 7601798C 5 Bytes JMP 5FF51694 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!SetFileSecurityW 760179C3 5 Bytes JMP 5FF5306C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!SetSecurityInfo 76019EDF 5 Bytes JMP 5FF53480 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!SetNamedSecurityInfoW 76019FE2 5 Bytes JMP 5FF53738 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!EnumServicesStatusExW 7601B466 7 Bytes JMP 5FF52AF8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!QueryServiceConfigW 7601B537 5 Bytes JMP 5FF51AA8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!CreateProcessAsUserW 7601C592 5 Bytes JMP 5FF4E6F8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!OpenServiceW 7601CA4C 5 Bytes JMP 5FF50FC8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!OpenSCManagerW 7601CA64 5 Bytes JMP 5FF50A58 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!QueryServiceStatus 76022A86 5 Bytes JMP 5FF51538 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!OpenSCManagerA 76022BD8 5 Bytes JMP 5FF508FC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!OpenServiceA 76022BF0 5 Bytes JMP 5FF50E6C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!AdjustTokenPrivileges 7602418E 5 Bytes JMP 5FF52DB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!SetKernelObjectSecurity 76024645 5 Bytes JMP 5FF531C8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!CreateServiceW 7603712C 5 Bytes JMP 5FF50D10 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!ControlService 76037144 5 Bytes JMP 5FF517F0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!DeleteService 7603715C 5 Bytes JMP 5FF51124 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!QueryServiceConfigA 76039A4F 5 Bytes JMP 5FF5194C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!EnumServicesStatusExA 7603A3E2 7 Bytes JMP 5FF5299C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!CreateProcessAsUserA + 2 7605253A 8 Bytes JMP 5FF4E853 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!ChangeServiceConfig2A + 2 760530CA 9 Bytes JMP 5FF5242B C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!ChangeServiceConfig2W + 2 760530DA 9 Bytes JMP 5FF52587 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!ChangeServiceConfigA + 2 760530EA 9 Bytes JMP 5FF52173 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!ChangeServiceConfigW + 2 760530FA 9 Bytes JMP 5FF522CF C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!CreateServiceA 76053158 5 Bytes JMP 5FF50BB4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!QueryServiceConfig2A 760533E9 5 Bytes JMP 5FF51C04 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!QueryServiceConfig2W 760533F9 5 Bytes JMP 5FF51D60 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!SetServiceObjectSecurity 76053533 5 Bytes JMP 5FF53324 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!StartServiceA 76053543 5 Bytes JMP 5FF51280 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!CreateProcessWithLogonW 760552E9 5 Bytes JMP 5FF4E59C C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!InitiateSystemShutdownW 7606DA6D 5 Bytes JMP 5FF548E8 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!InitiateSystemShutdownExW 7606DB3A 5 Bytes JMP 5FF54BA0 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!AbortSystemShutdownW + 2 7606DD62 7 Bytes JMP 5FF54E57 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!EnumServicesStatusA 76072021 7 Bytes JMP 5FF526E4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!EnumDependentServicesA 76072104 7 Bytes JMP 5FF51EBC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ADVAPI32.dll!EnumServicesStatusW 76072221 5 Bytes JMP 5FF52840 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ole32.dll!CoGetClassObject 765854AD 5 Bytes JMP 5FF4D3EC C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ole32.dll!CoInitializeEx 765909AD 5 Bytes JMP 5FF4D134 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ole32.dll!CoCreateInstanceEx 76599D4E 5 Bytes JMP 5FF4D290 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ole32.dll!CoGetInstanceFromFile 7661340B 5 Bytes JMP 5FF4D548 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    .text C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] ole32.dll!CoGetInstanceFromIStorage 76630F07 5 Bytes JMP 5FF4D6A4 C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
     
  11. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    ****** continued 5 ******
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] @ C:\Windows\system32\ole32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3772] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\Explorer.EXE [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [61B011EB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3880] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [61B011EB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\ole32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\SHELL32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\System32\Secur32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Users\HP_Owner\Desktop\Temp\i0netgj5.exe[4340] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74EDFFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe[4452] @ C:\Windows\system32\ole32.dll [USER32.dll!SetWindowsHookExW] [5FF53E04] C:\Windows\system32\UmxSbxw.dll (User mode executive module DLL/CA)
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [61347917] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [613470AD] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [613478C9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [613464A2] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61346306] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61346344] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61346537] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [613463D7] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61346CC4] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6134649C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [61347849] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [61347889] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateFileA] [61346622] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6020] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateFileW] [6134657C] C:\Program Files\Yahoo!\Messenger\yui.dll
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy6 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy8 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy8 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy9 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy9 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy10 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy10 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy11 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy11 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy12 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy12 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy13 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy13 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy14 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy14 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy15 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy15 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy16 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy16 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy17 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
    AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy17 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)
    ---- EOF - GMER 1.0.15 ----
     
     
  12. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    ****************************************
    Could not get DDS.com to produce a log file. It seemed to run fine, then locked the system.
    Have uninstalled MalwareBytes and CA Total Defense, re-run, still locking the system.
     
  13. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ===============================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  14. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    TDSSKiller
    17:25:32.0574 2036 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
    17:25:34.0602 2036 ============================================================
    17:25:34.0602 2036 Current date / time: 2012/09/22 17:25:34.0602
    17:25:34.0602 2036 SystemInfo:
    17:25:34.0602 2036
    17:25:34.0602 2036 OS Version: 6.1.7601 ServicePack: 1.0
    17:25:34.0602 2036 Product type: Workstation
    17:25:34.0602 2036 ComputerName: DESKTOP
    17:25:34.0602 2036 UserName: HP_Owner
    17:25:34.0602 2036 Windows directory: C:\Windows
    17:25:34.0602 2036 System windows directory: C:\Windows
    17:25:34.0602 2036 Processor architecture: Intel x86
    17:25:34.0602 2036 Number of processors: 2
    17:25:34.0602 2036 Page size: 0x1000
    17:25:34.0602 2036 Boot type: Normal boot
    17:25:34.0602 2036 ============================================================
    17:25:36.0131 2036 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
    17:25:36.0225 2036 ============================================================
    17:25:36.0225 2036 \Device\Harddisk0\DR0:
    17:25:36.0240 2036 MBR partitions:
    17:25:36.0240 2036 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C5931
    17:25:36.0240 2036 ============================================================
    17:25:36.0272 2036 C: <-> \Device\Harddisk0\DR0\Partition1
    17:25:36.0272 2036 ============================================================
    17:25:36.0272 2036 Initialize success
    17:25:36.0272 2036 ============================================================
    17:25:39.0922 7956 ============================================================
    17:25:39.0922 7956 Scan started
    17:25:39.0922 7956 Mode: Manual;
    17:25:39.0922 7956 ============================================================
    17:25:40.0593 7956 ================ Scan system memory ========================
    17:25:40.0593 7956 System memory - ok
    17:25:40.0593 7956 ================ Scan services =============================
    17:25:40.0702 7956 [ 1B133875B8AA8AC48969BD3458AFE9F5 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
    17:25:40.0702 7956 1394ohci - ok
    17:25:40.0733 7956 [ CEA80C80BED809AA0DA6FEBC04733349 ] ACPI C:\Windows\system32\drivers\ACPI.sys
    17:25:40.0733 7956 ACPI - ok
    17:25:40.0764 7956 [ 1EFBC664ABFF416D1D07DB115DCB264F ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
    17:25:40.0764 7956 AcpiPmi - ok
    17:25:40.0827 7956 [ 4A00E527BB34FCA0E458DB1089F97B3B ] AcrSch2Svc C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    17:25:40.0827 7956 AcrSch2Svc - ok
    17:25:40.0905 7956 [ 14C23516C990DCD6052152CF034DDE40 ] Adobe Version Cue CS3 C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    17:25:40.0920 7956 Adobe Version Cue CS3 - ok
    17:25:41.0014 7956 [ D19C4EE2AC7C47B8F5F84FFF1A789D8A ] AdobeARMservice C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    17:25:41.0014 7956 AdobeARMservice - ok
    17:25:41.0108 7956 [ E12CFCF1DDBFC50948A75E6E38793225 ] AdobeFlashPlayerUpdateSvc C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    17:25:41.0123 7956 AdobeFlashPlayerUpdateSvc - ok
    17:25:41.0154 7956 [ 21E785EBD7DC90A06391141AAC7892FB ] adp94xx C:\Windows\system32\DRIVERS\adp94xx.sys
    17:25:41.0154 7956 adp94xx - ok
    17:25:41.0186 7956 [ 0C676BC278D5B59FF5ABD57BBE9123F2 ] adpahci C:\Windows\system32\DRIVERS\adpahci.sys
    17:25:41.0186 7956 adpahci - ok
    17:25:41.0201 7956 [ 7C7B5EE4B7B822EC85321FE23A27DB33 ] adpu320 C:\Windows\system32\DRIVERS\adpu320.sys
    17:25:41.0201 7956 adpu320 - ok
    17:25:41.0232 7956 [ 8B5EEFEEC1E6D1A72A06C526628AD161 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
    17:25:41.0232 7956 AeLookupSvc - ok
    17:25:41.0279 7956 [ 9EBBBA55060F786F0FCAA3893BFA2806 ] AFD C:\Windows\system32\drivers\afd.sys
    17:25:41.0279 7956 AFD - ok
    17:25:41.0310 7956 [ 6416F9B6B220F0A890525C38235AFAD7 ] AgereModemAudio C:\Program Files\LSI SoftModem\agrsmsvc.exe
    17:25:41.0310 7956 AgereModemAudio - ok
    17:25:41.0357 7956 [ 7560F465F1CE69C53BF17559EE195548 ] AgereSoftModem C:\Windows\system32\DRIVERS\AGRSM.sys
    17:25:41.0388 7956 AgereSoftModem - ok
    17:25:41.0420 7956 [ 507812C3054C21CEF746B6EE3D04DD6E ] agp440 C:\Windows\system32\drivers\agp440.sys
    17:25:41.0420 7956 agp440 - ok
    17:25:41.0435 7956 [ 8B30250D573A8F6B4BD23195160D8707 ] aic78xx C:\Windows\system32\DRIVERS\djsvs.sys
    17:25:41.0435 7956 aic78xx - ok
    17:25:41.0482 7956 [ 18A54E132947CD98FEA9ACCC57F98F13 ] ALG C:\Windows\System32\alg.exe
    17:25:41.0482 7956 ALG - ok
    17:25:41.0498 7956 [ 0D40BCF52EA90FC7DF2AEAB6503DEA44 ] aliide C:\Windows\system32\drivers\aliide.sys
    17:25:41.0498 7956 aliide - ok
    17:25:41.0529 7956 [ 3C6600A0696E90A463771C7422E23AB5 ] amdagp C:\Windows\system32\drivers\amdagp.sys
    17:25:41.0529 7956 amdagp - ok
    17:25:41.0529 7956 [ CD5914170297126B6266860198D1D4F0 ] amdide C:\Windows\system32\drivers\amdide.sys
    17:25:41.0529 7956 amdide - ok
    17:25:41.0560 7956 [ 00DDA200D71BAC534BF56A9DB5DFD666 ] AmdK8 C:\Windows\system32\DRIVERS\amdk8.sys
    17:25:41.0560 7956 AmdK8 - ok
    17:25:41.0576 7956 [ 3CBF30F5370FDA40DD3E87DF38EA53B6 ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
    17:25:41.0576 7956 AmdPPM - ok
    17:25:41.0622 7956 [ D320BF87125326F996D4904FE24300FC ] amdsata C:\Windows\system32\drivers\amdsata.sys
    17:25:41.0622 7956 amdsata - ok
    17:25:41.0654 7956 [ EA43AF0C423FF267355F74E7A53BDABA ] amdsbs C:\Windows\system32\DRIVERS\amdsbs.sys
    17:25:41.0654 7956 amdsbs - ok
    17:25:41.0669 7956 [ 46387FB17B086D16DEA267D5BE23A2F2 ] amdxata C:\Windows\system32\drivers\amdxata.sys
    17:25:41.0669 7956 amdxata - ok
    17:25:41.0732 7956 [ D1AF38FBAC0DC7E6D796B0ED01707EE0 ] AppHostSvc C:\Windows\system32\inetsrv\apphostsvc.dll
    17:25:41.0732 7956 AppHostSvc - ok
    17:25:41.0763 7956 [ AEA177F783E20150ACE5383EE368DA19 ] AppID C:\Windows\system32\drivers\appid.sys
    17:25:41.0763 7956 AppID - ok
    17:25:41.0810 7956 [ 62A9C86CB6085E20DB4823E4E97826F5 ] AppIDSvc C:\Windows\System32\appidsvc.dll
    17:25:41.0810 7956 AppIDSvc - ok
    17:25:41.0825 7956 [ FB1959012294D6AD43E5304DF65E3C26 ] Appinfo C:\Windows\System32\appinfo.dll
    17:25:41.0825 7956 Appinfo - ok
    17:25:41.0903 7956 [ A5299D04ED225D64CF07A568A3E1BF8C ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    17:25:41.0903 7956 Apple Mobile Device - ok
    17:25:41.0919 7956 [ 2932004F49677BD84DBC72EDB754FFB3 ] arc C:\Windows\system32\DRIVERS\arc.sys
    17:25:41.0934 7956 arc - ok
    17:25:41.0950 7956 [ 5D6F36C46FD283AE1B57BD2E9FEB0BC7 ] arcsas C:\Windows\system32\DRIVERS\arcsas.sys
    17:25:41.0950 7956 arcsas - ok
    17:25:42.0028 7956 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
    17:25:42.0059 7956 aspnet_state - ok
    17:25:42.0075 7956 [ ADD2ADE1C2B285AB8378D2DAAF991481 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
    17:25:42.0075 7956 AsyncMac - ok
    17:25:42.0106 7956 [ 338C86357871C167A96AB976519BF59E ] atapi C:\Windows\system32\drivers\atapi.sys
    17:25:42.0106 7956 atapi - ok
    17:25:42.0153 7956 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
    17:25:42.0168 7956 AudioEndpointBuilder - ok
    17:25:42.0168 7956 [ CE3B4E731638D2EF62FCB419BE0D39F0 ] Audiosrv C:\Windows\System32\Audiosrv.dll
    17:25:42.0184 7956 Audiosrv - ok
    17:25:42.0278 7956 [ 1992C2A1867D95AA3A0802539358D162 ] Autodesk Content Service C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
    17:25:42.0278 7956 Autodesk Content Service - ok
    17:25:42.0309 7956 [ 6E30D02AAC9CAC84F421622E3A2F6178 ] AxInstSV C:\Windows\System32\AxInstSV.dll
    17:25:42.0309 7956 AxInstSV - ok
    17:25:42.0371 7956 [ 1A231ABEC60FD316EC54C66715543CEC ] b06bdrv C:\Windows\system32\DRIVERS\bxvbdx.sys
    17:25:42.0387 7956 b06bdrv - ok
    17:25:42.0418 7956 [ BD8869EB9CDE6BBE4508D869929869EE ] b57nd60x C:\Windows\system32\DRIVERS\b57nd60x.sys
    17:25:42.0418 7956 b57nd60x - ok
    17:25:42.0465 7956 [ EE1E9C3BB8228AE423DD38DB69128E71 ] BDESVC C:\Windows\System32\bdesvc.dll
    17:25:42.0465 7956 BDESVC - ok
    17:25:42.0496 7956 [ 505506526A9D467307B3C393DEDAF858 ] Beep C:\Windows\system32\drivers\Beep.sys
    17:25:42.0496 7956 Beep - ok
    17:25:42.0543 7956 [ 1E2BAC209D184BB851E1A187D8A29136 ] BFE C:\Windows\System32\bfe.dll
    17:25:42.0543 7956 BFE - ok
    17:25:42.0605 7956 [ E585445D5021971FAE10393F0F1C3961 ] BITS C:\Windows\System32\qmgr.dll
    17:25:42.0621 7956 BITS - ok
    17:25:42.0636 7956 [ 2287078ED48FCFC477B05B20CF38F36F ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
    17:25:42.0636 7956 blbdrive - ok
    17:25:42.0714 7956 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
    17:25:42.0714 7956 Bonjour Service - ok
    17:25:42.0792 7956 BotkindSyncService - ok
    17:25:42.0839 7956 [ 8F2DA3028D5FCBD1A060A3DE64CD6506 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
    17:25:42.0839 7956 bowser - ok
    17:25:42.0855 7956 [ 9F9ACC7F7CCDE8A15C282D3F88B43309 ] BrFiltLo C:\Windows\system32\DRIVERS\BrFiltLo.sys
    17:25:42.0870 7956 BrFiltLo - ok
    17:25:42.0870 7956 [ 56801AD62213A41F6497F96DEE83755A ] BrFiltUp C:\Windows\system32\DRIVERS\BrFiltUp.sys
    17:25:42.0870 7956 BrFiltUp - ok
    17:25:42.0902 7956 [ 3DAA727B5B0A45039B0E1C9A211B8400 ] Browser C:\Windows\System32\browser.dll
    17:25:42.0902 7956 Browser - ok
    17:25:42.0933 7956 [ 845B8CE732E67F3B4133164868C666EA ] Brserid C:\Windows\System32\Drivers\Brserid.sys
    17:25:42.0933 7956 Brserid - ok
    17:25:42.0948 7956 [ 203F0B1E73ADADBBB7B7B1FABD901F6B ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
    17:25:42.0948 7956 BrSerWdm - ok
    17:25:42.0964 7956 [ BD456606156BA17E60A04E18016AE54B ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
    17:25:42.0964 7956 BrUsbMdm - ok
    17:25:42.0964 7956 [ AF72ED54503F717A43268B3CC5FAEC2E ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
    17:25:42.0964 7956 BrUsbSer - ok
    17:25:42.0980 7956 [ ED3DF7C56CE0084EB2034432FC56565A ] BTHMODEM C:\Windows\system32\DRIVERS\bthmodem.sys
    17:25:42.0980 7956 BTHMODEM - ok
    17:25:43.0011 7956 [ 1DF19C96EEF6C29D1C3E1A8678E07190 ] bthserv C:\Windows\system32\bthserv.dll
    17:25:43.0011 7956 bthserv - ok
    17:25:43.0042 7956 [ 77EA11B065E0A8AB902D78145CA51E10 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
    17:25:43.0042 7956 cdfs - ok
    17:25:43.0089 7956 [ BE167ED0FDB9C1FA1133953C18D5A6C9 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
    17:25:43.0089 7956 cdrom - ok
    17:25:43.0120 7956 [ 319C6B309773D063541D01DF8AC6F55F ] CertPropSvc C:\Windows\System32\certprop.dll
    17:25:43.0120 7956 CertPropSvc - ok
    17:25:43.0151 7956 [ 3FE3FE94A34DF6FB06E6418D0F6A0060 ] circlass C:\Windows\system32\DRIVERS\circlass.sys
    17:25:43.0151 7956 circlass - ok
    17:25:43.0167 7956 [ 3E2AFAFA158C9ED670C106842BDCC81E ] CISVC C:\Windows\system32\CISVC.EXE
    17:25:43.0182 7956 CISVC - ok
    17:25:43.0198 7956 [ 635181E0E9BBF16871BF5380D71DB02D ] CLFS C:\Windows\system32\CLFS.sys
    17:25:43.0198 7956 CLFS - ok
    17:25:43.0245 7956 [ D88040F816FDA31C3B466F0FA0918F29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    17:25:43.0697 7956 clr_optimization_v2.0.50727_32 - ok
    17:25:43.0728 7956 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    17:25:43.0744 7956 clr_optimization_v4.0.30319_32 - ok
    17:25:43.0775 7956 [ DEA805815E587DAD1DD2C502220B5616 ] CmBatt C:\Windows\system32\DRIVERS\CmBatt.sys
    17:25:43.0775 7956 CmBatt - ok
    17:25:43.0806 7956 [ C537B1DB64D495B9B4717B4D6D9EDBF2 ] cmdide C:\Windows\system32\drivers\cmdide.sys
    17:25:43.0806 7956 cmdide - ok
    17:25:43.0853 7956 [ 247B4CE2DAB1160CD422D532D5241E1F ] CNG C:\Windows\system32\Drivers\cng.sys
    17:25:43.0853 7956 CNG - ok
    17:25:43.0869 7956 [ A6023D3823C37043986713F118A89BEE ] Compbatt C:\Windows\system32\DRIVERS\compbatt.sys
    17:25:43.0869 7956 Compbatt - ok
    17:25:43.0900 7956 [ CBE8C58A8579CFE5FCCF809E6F114E89 ] CompositeBus C:\Windows\system32\drivers\CompositeBus.sys
    17:25:43.0900 7956 CompositeBus - ok
    17:25:43.0900 7956 COMSysApp - ok
    17:25:43.0994 7956 cpuz132 - ok
    17:25:44.0025 7956 [ 2C4EBCFC84A9B44F209DFF6C6E6C61D1 ] crcdisk C:\Windows\system32\DRIVERS\crcdisk.sys
    17:25:44.0025 7956 crcdisk - ok
    17:25:44.0072 7956 [ 06E771AA596B8761107AB57E99F128D7 ] CryptSvc C:\Windows\system32\cryptsvc.dll
    17:25:44.0087 7956 CryptSvc - ok
    17:25:44.0134 7956 [ 90F8539FA0DE4AAFE4FDBE7F95D6A512 ] dc3d C:\Windows\system32\DRIVERS\dc3d.sys
    17:25:44.0134 7956 dc3d - ok
    17:25:44.0181 7956 [ 7660F01D3B38ACA1747E397D21D790AF ] DcomLaunch C:\Windows\system32\rpcss.dll
    17:25:44.0181 7956 DcomLaunch - ok
    17:25:44.0212 7956 [ 8D6E10A2D9A5EED59562D9B82CF804E1 ] defragsvc C:\Windows\System32\defragsvc.dll
    17:25:44.0228 7956 defragsvc - ok
    17:25:44.0259 7956 [ F024449C97EC1E464AAFFDA18593DB88 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
    17:25:44.0259 7956 DfsC - ok
    17:25:44.0306 7956 [ E9E01EB683C132F7FA27CD607B8A2B63 ] Dhcp C:\Windows\system32\dhcpcore.dll
    17:25:44.0306 7956 Dhcp - ok
    17:25:44.0321 7956 [ 1A050B0274BFB3890703D490F330C0DA ] discache C:\Windows\system32\drivers\discache.sys
    17:25:44.0321 7956 discache - ok
    17:25:44.0352 7956 [ 565003F326F99802E68CA78F2A68E9FF ] Disk C:\Windows\system32\DRIVERS\disk.sys
    17:25:44.0352 7956 Disk - ok
    17:25:44.0399 7956 [ 33EF4861F19A0736B11314AAD9AE28D0 ] Dnscache C:\Windows\System32\dnsrslvr.dll
    17:25:44.0399 7956 Dnscache - ok
    17:25:44.0430 7956 [ 366BA8FB4B7BB7435E3B9EACB3843F67 ] dot3svc C:\Windows\System32\dot3svc.dll
    17:25:44.0430 7956 dot3svc - ok
    17:25:44.0462 7956 [ 8EC04CA86F1D68DA9E11952EB85973D6 ] DPS C:\Windows\system32\dps.dll
    17:25:44.0477 7956 DPS - ok
    17:25:44.0508 7956 [ B918E7C5F9BF77202F89E1A9539F2EB4 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
    17:25:44.0508 7956 drmkaud - ok
    17:25:44.0540 7956 [ 23F5D28378A160352BA8F817BD8C71CB ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
    17:25:44.0571 7956 DXGKrnl - ok
    17:25:44.0602 7956 [ 8600142FA91C1B96367D3300AD0F3F3A ] EapHost C:\Windows\System32\eapsvc.dll
    17:25:44.0602 7956 EapHost - ok
    17:25:44.0680 7956 [ 024E1B5CAC09731E4D868E64DBFB4AB0 ] ebdrv C:\Windows\system32\DRIVERS\evbdx.sys
    17:25:44.0727 7956 ebdrv - ok
    17:25:44.0758 7956 [ 81951F51E318AECC2D68559E47485CC4 ] EFS C:\Windows\System32\lsass.exe
    17:25:44.0758 7956 EFS - ok
    17:25:44.0805 7956 [ A8C362018EFC87BEB013EE28F29C0863 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
    17:25:44.0820 7956 ehRecvr - ok
    17:25:44.0852 7956 [ D389BFF34F80CAEDE417BF9D1507996A ] ehSched C:\Windows\ehome\ehsched.exe
    17:25:44.0852 7956 ehSched - ok
    17:25:44.0898 7956 [ 0ED67910C8C326796FAA00B2BF6D9D3C ] elxstor C:\Windows\system32\DRIVERS\elxstor.sys
    17:25:44.0914 7956 elxstor - ok
    17:25:44.0945 7956 [ 8FC3208352DD3912C94367A206AB3F11 ] ErrDev C:\Windows\system32\drivers\errdev.sys
    17:25:44.0945 7956 ErrDev - ok
    17:25:44.0976 7956 [ F6916EFC29D9953D5D0DF06882AE8E16 ] EventSystem C:\Windows\system32\es.dll
    17:25:44.0976 7956 EventSystem - ok
    17:25:45.0008 7956 [ 2DC9108D74081149CC8B651D3A26207F ] exfat C:\Windows\system32\drivers\exfat.sys
    17:25:45.0008 7956 exfat - ok
    17:25:45.0023 7956 [ 7E0AB74553476622FB6AE36F73D97D35 ] fastfat C:\Windows\system32\drivers\fastfat.sys
    17:25:45.0023 7956 fastfat - ok
    17:25:45.0070 7956 [ 967EA5B213E9984CBE270205DF37755B ] Fax C:\Windows\system32\fxssvc.exe
    17:25:45.0086 7956 Fax - ok
    17:25:45.0101 7956 [ E817A017F82DF2A1F8CFDBDA29388B29 ] fdc C:\Windows\system32\DRIVERS\fdc.sys
    17:25:45.0101 7956 fdc - ok
    17:25:45.0132 7956 [ F3222C893BD2F5821A0179E5C71E88FB ] fdPHost C:\Windows\system32\fdPHost.dll
    17:25:45.0132 7956 fdPHost - ok
    17:25:45.0132 7956 [ 7DBE8CBFE79EFBDEB98C9FB08D3A9A5B ] FDResPub C:\Windows\system32\fdrespub.dll
    17:25:45.0148 7956 FDResPub - ok
    17:25:45.0148 7956 [ 6CF00369C97F3CF563BE99BE983D13D8 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
    17:25:45.0148 7956 FileInfo - ok
    17:25:45.0164 7956 [ 42C51DC94C91DA21CB9196EB64C45DB9 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
    17:25:45.0179 7956 Filetrace - ok
    17:25:45.0257 7956 [ 73081CF28F0AE20A52CA4F67CEE6E6B0 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    17:25:45.0491 7956 FLEXnet Licensing Service - ok
    17:25:45.0522 7956 [ 87907AA70CB3C56600F1C2FB8841579B ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
    17:25:45.0522 7956 flpydisk - ok
    17:25:45.0538 7956 [ 7520EC808E0C35E0EE6F841294316653 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
    17:25:45.0538 7956 FltMgr - ok
    17:25:45.0585 7956 [ B3A5EC6B6B6673DB7E87C2BCDBDDC074 ] FontCache C:\Windows\system32\FntCache.dll
    17:25:45.0616 7956 FontCache - ok
    17:25:45.0647 7956 [ E56F39F6B7FDA0AC77A79B0FD3DE1A2F ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    17:25:45.0647 7956 FontCache3.0.0.0 - ok
    17:25:45.0678 7956 [ 1A16B57943853E598CFF37FE2B8CBF1D ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
    17:25:45.0678 7956 FsDepends - ok
    17:25:45.0710 7956 [ D909075FA72C090F27AA926C32CB4612 ] fssfltr C:\Windows\system32\DRIVERS\fssfltr.sys
    17:25:45.0710 7956 fssfltr - ok
    17:25:45.0788 7956 [ 4CE9DAC1518FF7E77BD213E6394B9D77 ] fsssvc C:\Program Files\Windows Live\Family Safety\fsssvc.exe
    17:25:45.0819 7956 fsssvc - ok
    17:25:45.0834 7956 [ 7DAE5EBCC80E45D3253F4923DC424D05 ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
    17:25:45.0834 7956 Fs_Rec - ok
    17:25:45.0881 7956 [ 8A73E79089B282100B9393B644CB853B ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
    17:25:45.0881 7956 fvevol - ok
    17:25:45.0912 7956 [ 65EE0C7A58B65E74AE05637418153938 ] gagp30kx C:\Windows\system32\DRIVERS\gagp30kx.sys
    17:25:45.0912 7956 gagp30kx - ok
    17:25:45.0959 7956 [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
    17:25:45.0959 7956 GEARAspiWDM - ok
    17:25:46.0006 7956 [ E897EAF5ED6BA41E081060C9B447A673 ] gpsvc C:\Windows\System32\gpsvc.dll
    17:25:46.0022 7956 gpsvc - ok
    17:25:46.0037 7956 [ C44E3C2BAB6837DB337DDEE7544736DB ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
    17:25:46.0037 7956 hcw85cir - ok
    17:25:46.0084 7956 [ A5EF29D5315111C80A5C1ABAD14C8972 ] HdAudAddService C:\Windows\system32\drivers\HdAudio.sys
    17:25:46.0084 7956 HdAudAddService - ok
    17:25:46.0100 7956 [ 9036377B8A6C15DC2EEC53E489D159B5 ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
    17:25:46.0100 7956 HDAudBus - ok
    17:25:46.0115 7956 [ 1D58A7F3E11A9731D0EAAAA8405ACC36 ] HidBatt C:\Windows\system32\DRIVERS\HidBatt.sys
    17:25:46.0115 7956 HidBatt - ok
    17:25:46.0131 7956 [ 89448F40E6DF260C206A193A4683BA78 ] HidBth C:\Windows\system32\DRIVERS\hidbth.sys
    17:25:46.0131 7956 HidBth - ok
    17:25:46.0146 7956 [ CF50B4CF4A4F229B9F3C08351F99CA5E ] HidIr C:\Windows\system32\DRIVERS\hidir.sys
    17:25:46.0162 7956 HidIr - ok
    17:25:46.0178 7956 [ 2BC6F6A1992B3A77F5F41432CA6B3B6B ] hidserv C:\Windows\system32\hidserv.dll
    17:25:46.0178 7956 hidserv - ok
    17:25:46.0224 7956 [ 10C19F8290891AF023EAEC0832E1EB4D ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
    17:25:46.0224 7956 HidUsb - ok
    17:25:46.0256 7956 [ 196B4E3F4CCCC24AF836CE58FACBB699 ] hkmsvc C:\Windows\system32\kmsvc.dll
    17:25:46.0256 7956 hkmsvc - ok
    17:25:46.0302 7956 [ 6658F4404DE03D75FE3BA09F7ABA6A30 ] HomeGroupListener C:\Windows\system32\ListSvc.dll
    17:25:46.0302 7956 HomeGroupListener - ok
    17:25:46.0334 7956 [ DBC02D918FFF1CAD628ACBE0C0EAA8E8 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
    17:25:46.0334 7956 HomeGroupProvider - ok
    17:25:46.0380 7956 [ 295FDC419039090EB8B49FFDBB374549 ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
    17:25:46.0380 7956 HpSAMD - ok
    17:25:46.0443 7956 [ 871917B07A141BFF43D76D8844D48106 ] HTTP C:\Windows\system32\drivers\HTTP.sys
    17:25:46.0443 7956 HTTP - ok
    17:25:46.0474 7956 [ 0C4E035C7F105F1299258C90886C64C5 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
    17:25:46.0474 7956 hwpolicy - ok
    17:25:46.0505 7956 [ F151F0BDC47F4A28B1B20A0818EA36D6 ] i8042prt C:\Windows\system32\drivers\i8042prt.sys
    17:25:46.0505 7956 i8042prt - ok
    17:25:46.0552 7956 [ 6FCB904910DA07C9DC2593D66438FA29 ] ialm C:\Windows\system32\DRIVERS\igxpmp32.sys
    17:25:46.0583 7956 ialm - ok
    17:25:46.0614 7956 [ 5CD5F9A5444E6CDCB0AC89BD62D8B76E ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
    17:25:46.0630 7956 iaStorV - ok
    17:25:46.0677 7956 [ C521D7EB6497BB1AF6AFA89E322FB43C ] idsvc C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    17:25:46.0692 7956 idsvc - ok
    17:25:46.0880 7956 [ DCE0B53570703CCE580D066F89EF58CD ] igfx C:\Windows\system32\DRIVERS\igdkmd32.sys
    17:25:47.0020 7956 igfx - ok
    17:25:47.0051 7956 [ 4173FF5708F3236CF25195FECD742915 ] iirsp C:\Windows\system32\DRIVERS\iirsp.sys
    17:25:47.0051 7956 iirsp - ok
    17:25:47.0098 7956 [ F95622F161474511B8D80D6B093AA610 ] IKEEXT C:\Windows\System32\ikeext.dll
    17:25:47.0114 7956 IKEEXT - ok
    17:25:47.0145 7956 [ A0F12F2C9BA6C72F3987CE780E77C130 ] intelide C:\Windows\system32\drivers\intelide.sys
    17:25:47.0145 7956 intelide - ok
    17:25:47.0176 7956 [ 3B514D27BFC4ACCB4037BC6685F766E0 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
    17:25:47.0176 7956 intelppm - ok
    17:25:47.0238 7956 [ 3DC635B66DD7412E1C9C3A77B8D78F25 ] IntuitUpdateService C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    17:25:47.0238 7956 IntuitUpdateService - ok
    17:25:47.0270 7956 [ ACB364B9075A45C0736E5C47BE5CAE19 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
    17:25:47.0270 7956 IPBusEnum - ok
    17:25:47.0285 7956 [ 709D1761D3B19A932FF0238EA6D50200 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
    17:25:47.0285 7956 IpFilterDriver - ok
    17:25:47.0332 7956 [ 4D65A07B795D6674312F879D09AA7663 ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
    17:25:47.0348 7956 iphlpsvc - ok
    17:25:47.0379 7956 [ 4BD7134618C1D2A27466A099062547BF ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
    17:25:47.0379 7956 IPMIDRV - ok
    17:25:47.0410 7956 [ A5FA468D67ABCDAA36264E463A7BB0CD ] IPNAT C:\Windows\system32\drivers\ipnat.sys
    17:25:47.0410 7956 IPNAT - ok
    17:25:47.0472 7956 [ BC0EA61246F8D940FBC5F652D337D6BD ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
    17:25:47.0488 7956 iPod Service - ok
    17:25:47.0519 7956 [ 42996CFF20A3084A56017B7902307E9F ] IRENUM C:\Windows\system32\drivers\irenum.sys
    17:25:47.0519 7956 IRENUM - ok
    17:25:47.0550 7956 [ 1F32BB6B38F62F7DF1A7AB7292638A35 ] isapnp C:\Windows\system32\drivers\isapnp.sys
    17:25:47.0566 7956 isapnp - ok
    17:25:47.0582 7956 [ CB7A9ABB12B8415BCE5D74994C7BA3AE ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
    17:25:47.0582 7956 iScsiPrt - ok
    17:25:47.0597 7956 [ ADEF52CA1AEAE82B50DF86B56413107E ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
    17:25:47.0597 7956 kbdclass - ok
    17:25:47.0628 7956 [ 9E3CED91863E6EE98C24794D05E27A71 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
    17:25:47.0628 7956 kbdhid - ok
    17:25:47.0628 7956 [ 81951F51E318AECC2D68559E47485CC4 ] KeyIso C:\Windows\system32\lsass.exe
    17:25:47.0644 7956 KeyIso - ok
    17:25:47.0660 7956 [ B7895B4182C0D16F6EFADEB8081E8D36 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
    17:25:47.0675 7956 KSecDD - ok
    17:25:47.0675 7956 [ D30159AC9237519FBC62C6EC247D2D46 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
    17:25:47.0675 7956 KSecPkg - ok
    17:25:47.0706 7956 [ 89A7B9CC98D0D80C6F31B91C0A310FCD ] KtmRm C:\Windows\system32\msdtckrm.dll
    17:25:47.0706 7956 KtmRm - ok
    17:25:47.0722 7956 [ D64AF876D53ECA3668BB97B51B4E70AB ] LanmanServer C:\Windows\system32\srvsvc.dll
    17:25:47.0722 7956 LanmanServer - ok
    17:25:47.0738 7956 [ 58405E4F68BA8E4057C6E914F326ABA2 ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
    17:25:47.0738 7956 LanmanWorkstation - ok
    17:25:47.0800 7956 [ 71C6A95A5F0CCC87298C4DD0F2C3635A ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    17:25:47.0925 7956 LightScribeService - ok
    17:25:48.0003 7956 [ 06DC2FDC6282F0D68910417B1150C848 ] LinksysUpdater C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    17:25:48.0003 7956 LinksysUpdater - ok
    17:25:48.0034 7956 [ F7611EC07349979DA9B0AE1F18CCC7A6 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
    17:25:48.0034 7956 lltdio - ok
    17:25:48.0050 7956 [ 5700673E13A2117FA3B9020C852C01E2 ] lltdsvc C:\Windows\System32\lltdsvc.dll
    17:25:48.0050 7956 lltdsvc - ok
    17:25:48.0065 7956 [ 55CA01BA19D0006C8F2639B6C045E08B ] lmhosts C:\Windows\System32\lmhsvc.dll
    17:25:48.0081 7956 lmhosts - ok
    17:25:48.0096 7956 [ EB119A53CCF2ACC000AC71B065B78FEF ] LSI_FC C:\Windows\system32\DRIVERS\lsi_fc.sys
    17:25:48.0112 7956 LSI_FC - ok
    17:25:48.0128 7956 [ 8ADE1C877256A22E49B75D1CC9161F9C ] LSI_SAS C:\Windows\system32\DRIVERS\lsi_sas.sys
    17:25:48.0128 7956 LSI_SAS - ok
    17:25:48.0128 7956 [ DC9DC3D3DAA0E276FD2EC262E38B11E9 ] LSI_SAS2 C:\Windows\system32\DRIVERS\lsi_sas2.sys
    17:25:48.0143 7956 LSI_SAS2 - ok
    17:25:48.0159 7956 [ 0A036C7D7CAB643A7F07135AC47E0524 ] LSI_SCSI C:\Windows\system32\DRIVERS\lsi_scsi.sys
    17:25:48.0159 7956 LSI_SCSI - ok
    17:25:48.0190 7956 [ 6703E366CC18D3B6E534F5CF7DF39CEE ] luafv C:\Windows\system32\drivers\luafv.sys
    17:25:48.0190 7956 luafv - ok
    17:25:48.0237 7956 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\Windows\system32\drivers\mbam.sys
    17:25:48.0237 7956 MBAMProtector - ok
    17:25:48.0315 7956 [ 0DCF16B1449811EFA47AB52CAC84093C ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    17:25:48.0330 7956 MBAMScheduler - ok
    17:25:48.0377 7956 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    17:25:48.0393 7956 MBAMService - ok
    17:25:48.0424 7956 [ BFB9EE8EE977EFE85D1A3105ABEF6DD1 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
    17:25:48.0424 7956 Mcx2Svc - ok
    17:25:48.0471 7956 [ 7CF1B716372B89568AE4C0FE769F5869 ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    17:25:48.0471 7956 MDM - ok
    17:25:48.0502 7956 [ 0FFF5B045293002AB38EB1FD1FC2FB74 ] megasas C:\Windows\system32\DRIVERS\megasas.sys
    17:25:48.0502 7956 megasas - ok
    17:25:48.0518 7956 [ DCBAB2920C75F390CAF1D29F675D03D6 ] MegaSR C:\Windows\system32\DRIVERS\MegaSR.sys
    17:25:48.0518 7956 MegaSR - ok
    17:25:48.0549 7956 [ 146B6F43A673379A3C670E86D89BE5EA ] MMCSS C:\Windows\system32\mmcss.dll
    17:25:48.0549 7956 MMCSS - ok
    17:25:48.0564 7956 [ F001861E5700EE84E2D4E52C712F4964 ] Modem C:\Windows\system32\drivers\modem.sys
    17:25:48.0564 7956 Modem - ok
    17:25:48.0580 7956 [ 79D10964DE86B292320E9DFE02282A23 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
    17:25:48.0580 7956 monitor - ok
    17:25:48.0674 7956 [ 9DFD34E6841C460B5D992A1C5327AE69 ] MotoHelper C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
    17:25:48.0783 7956 MotoHelper - ok
    17:25:48.0814 7956 [ FB18CC1D4C2E716B6B903B0AC0CC0609 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
    17:25:48.0814 7956 mouclass - ok
    17:25:48.0845 7956 [ 2C388D2CD01C9042596CF3C8F3C7B24D ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
    17:25:48.0845 7956 mouhid - ok
    17:25:48.0876 7956 [ FC8771F45ECCCFD89684E38842539B9B ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
    17:25:48.0876 7956 mountmgr - ok
    17:25:48.0939 7956 [ CB8AF049AC9BE419A77ADAE288673359 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
    17:25:48.0939 7956 MozillaMaintenance - ok
    17:25:49.0001 7956 [ D993BEA500E7382DC4E760BF4F35EFCB ] MpFilter C:\Windows\system32\DRIVERS\MpFilter.sys
    17:25:49.0001 7956 MpFilter - ok
    17:25:49.0032 7956 [ 2D699FB6E89CE0D8DA14ECC03B3EDFE0 ] mpio C:\Windows\system32\drivers\mpio.sys
    17:25:49.0032 7956 mpio - ok
    17:25:49.0173 7956 [ A69630D039C38018689190234F866D77 ] MpKsl47b2f2c7 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F77B33D2-67B9-4E11-ADD0-C80A07317CF4}\MpKsl47b2f2c7.sys
    17:25:49.0173 7956 MpKsl47b2f2c7 - ok
    17:25:49.0204 7956 [ AD2723A7B53DD1AACAE6AD8C0BFBF4D0 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
    17:25:49.0204 7956 mpsdrv - ok
    17:25:49.0251 7956 [ 9835584E999D25004E1EE8E5F3E3B881 ] MpsSvc C:\Windows\system32\mpssvc.dll
    17:25:49.0266 7956 MpsSvc - ok
    17:25:49.0298 7956 [ CEB46AB7C01C9F825F8CC6BABC18166A ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
    17:25:49.0298 7956 MRxDAV - ok
    17:25:49.0344 7956 [ 5D16C921E3671636C0EBA3BBAAC5FD25 ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
    17:25:49.0344 7956 mrxsmb - ok
    17:25:49.0360 7956 [ 6D17A4791ACA19328C685D256349FEFC ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
    17:25:49.0376 7956 mrxsmb10 - ok
    17:25:49.0376 7956 [ B81F204D146000BE76651A50670A5E9E ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
    17:25:49.0376 7956 mrxsmb20 - ok
    17:25:49.0407 7956 [ 012C5F4E9349E711E11E0F19A8589F0A ] msahci C:\Windows\system32\drivers\msahci.sys
    17:25:49.0407 7956 msahci - ok
    17:25:49.0422 7956 [ 55055F8AD8BE27A64C831322A780A228 ] msdsm C:\Windows\system32\drivers\msdsm.sys
    17:25:49.0438 7956 msdsm - ok
    17:25:49.0454 7956 [ E1BCE74A3BD9902B72599C0192A07E27 ] MSDTC C:\Windows\System32\msdtc.exe
    17:25:49.0454 7956 MSDTC - ok
    17:25:49.0485 7956 [ DAEFB28E3AF5A76ABCC2C3078C07327F ] Msfs C:\Windows\system32\drivers\Msfs.sys
    17:25:49.0485 7956 Msfs - ok
    17:25:49.0500 7956 [ 3E1E5767043C5AF9367F0056295E9F84 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
    17:25:49.0500 7956 mshidkmdf - ok
    17:25:49.0516 7956 [ 0A4E5757AE09FA9622E3158CC1AEF114 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
    17:25:49.0532 7956 msisadrv - ok
    17:25:49.0563 7956 [ 90F7D9E6B6F27E1A707D4A297F077828 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
    17:25:49.0563 7956 MSiSCSI - ok
    17:25:49.0563 7956 msiserver - ok
    17:25:49.0594 7956 [ 8C0860D6366AAFFB6C5BB9DF9448E631 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
    17:25:49.0594 7956 MSKSSRV - ok
    17:25:49.0688 7956 [ 24516BF4E12A46CB67302E2CDCB8CDDF ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
    17:25:49.0688 7956 MsMpSvc - ok
    17:25:49.0719 7956 [ 3EA8B949F963562CEDBB549EAC0C11CE ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
    17:25:49.0719 7956 MSPCLOCK - ok
    17:25:49.0734 7956 [ F456E973590D663B1073E9C463B40932 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
    17:25:49.0734 7956 MSPQM - ok
    17:25:49.0766 7956 [ 0E008FC4819D238C51D7C93E7B41E560 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
    17:25:49.0766 7956 MsRPC - ok
    17:25:49.0797 7956 [ FC6B9FF600CC585EA38B12589BD4E246 ] mssmbios C:\Windows\system32\drivers\mssmbios.sys
    17:25:49.0797 7956 mssmbios - ok
    17:25:49.0812 7956 [ B42C6B921F61A6E55159B8BE6CD54A36 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
    17:25:49.0812 7956 MSTEE - ok
    17:25:49.0828 7956 [ 33599130F44E1F34631CEA241DE8AC84 ] MTConfig C:\Windows\system32\DRIVERS\MTConfig.sys
    17:25:49.0828 7956 MTConfig - ok
    17:25:49.0844 7956 [ 159FAD02F64E6381758C990F753BCC80 ] Mup C:\Windows\system32\Drivers\mup.sys
    17:25:49.0844 7956 Mup - ok
    17:25:49.0875 7956 [ 61D57A5D7C6D9AFE10E77DAE6E1B445E ] napagent C:\Windows\system32\qagentRT.dll
    17:25:49.0890 7956 napagent - ok
    17:25:49.0906 7956 [ 26384429FCD85D83746F63E798AB1480 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
    17:25:49.0922 7956 NativeWifiP - ok
    17:25:49.0953 7956 [ 8C9C922D71F1CD4DEF73F186416B7896 ] NDIS C:\Windows\system32\drivers\ndis.sys
    17:25:49.0984 7956 NDIS - ok
    17:25:50.0000 7956 [ 0E1787AA6C9191D3D319E8BAFE86F80C ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
    17:25:50.0000 7956 NdisCap - ok
    17:25:50.0015 7956 [ E4A8AEC125A2E43A9E32AFEEA7C9C888 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
    17:25:50.0015 7956 NdisTapi - ok
    17:25:50.0046 7956 [ D8A65DAFB3EB41CBB622745676FCD072 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
    17:25:50.0046 7956 Ndisuio - ok
    17:25:50.0078 7956 [ 38FBE267E7E6983311179230FACB1017 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
    17:25:50.0078 7956 NdisWan - ok
    17:25:50.0109 7956 [ A4BDC541E69674FBFF1A8FF00BE913F2 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
    17:25:50.0124 7956 NDProxy - ok
    17:25:50.0202 7956 [ 7D2633295EB6FF2B938185874884059D ] Nero BackItUp Scheduler 4.0 C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    17:25:50.0234 7956 Nero BackItUp Scheduler 4.0 - ok
    17:25:50.0249 7956 [ 80B275B1CE3B0E79909DB7B39AF74D51 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
     
  15. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    TDSSKiller....... Continued
    17:25:50.0249 7956 NetBIOS - ok
    17:25:50.0280 7956 [ 280122DDCF04B378EDD1AD54D71C1E54 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
    17:25:50.0296 7956 NetBT - ok
    17:25:50.0296 7956 [ 81951F51E318AECC2D68559E47485CC4 ] Netlogon C:\Windows\system32\lsass.exe
    17:25:50.0296 7956 Netlogon - ok
    17:25:50.0343 7956 [ 7CCCFCA7510684768DA22092D1FA4DB2 ] Netman C:\Windows\System32\netman.dll
    17:25:50.0343 7956 Netman - ok
    17:25:50.0390 7956 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetMsmqActivator C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    17:25:50.0421 7956 NetMsmqActivator - ok
    17:25:50.0436 7956 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetPipeActivator C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    17:25:50.0436 7956 NetPipeActivator - ok
    17:25:50.0468 7956 [ 8C338238C16777A802D6A9211EB2BA50 ] netprofm C:\Windows\System32\netprofm.dll
    17:25:50.0468 7956 netprofm - ok
    17:25:50.0468 7956 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpActivator C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    17:25:50.0468 7956 NetTcpActivator - ok
    17:25:50.0483 7956 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    17:25:50.0483 7956 NetTcpPortSharing - ok
    17:25:50.0514 7956 [ 1D85C4B390B0EE09C7A46B91EFB2C097 ] nfrd960 C:\Windows\system32\DRIVERS\nfrd960.sys
    17:25:50.0514 7956 nfrd960 - ok
    17:25:50.0577 7956 [ B52F26BADE7D7E4A79706E3FD91834CD ] NisDrv C:\Windows\system32\DRIVERS\NisDrvWFP.sys
    17:25:50.0577 7956 NisDrv - ok
    17:25:50.0608 7956 [ 290C0D4C4889398797F8DF3BE00B9698 ] NisSrv c:\Program Files\Microsoft Security Client\NisSrv.exe
    17:25:50.0624 7956 NisSrv - ok
    17:25:50.0655 7956 [ 912084381D30D8B89EC4E293053F4710 ] NlaSvc C:\Windows\System32\nlasvc.dll
    17:25:50.0655 7956 NlaSvc - ok
    17:25:50.0702 7956 [ CD2FE9C33CFD0FE0AF124E05907E5C3D ] nmservice C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    17:25:50.0717 7956 nmservice - ok
    17:25:50.0733 7956 [ 1DB262A9F8C087E8153D89BEF3D2235F ] Npfs C:\Windows\system32\drivers\Npfs.sys
    17:25:50.0733 7956 Npfs - ok
    17:25:50.0748 7956 [ BA387E955E890C8A88306D9B8D06BF17 ] nsi C:\Windows\system32\nsisvc.dll
    17:25:50.0764 7956 nsi - ok
    17:25:50.0780 7956 [ E9A0A4D07E53D8FEA2BB8387A3293C58 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
    17:25:50.0780 7956 nsiproxy - ok
    17:25:50.0842 7956 [ 81189C3D7763838E55C397759D49007A ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
    17:25:50.0873 7956 Ntfs - ok
    17:25:50.0920 7956 [ EF2B9A14EC5DD74ADE3417FAF1B45E16 ] NuidFltr C:\Windows\system32\DRIVERS\NuidFltr.sys
    17:25:50.0920 7956 NuidFltr - ok
    17:25:50.0936 7956 [ F9756A98D69098DCA8945D62858A812C ] Null C:\Windows\system32\drivers\Null.sys
    17:25:50.0936 7956 Null - ok
    17:25:50.0967 7956 [ B3E25EE28883877076E0E1FF877D02E0 ] nvraid C:\Windows\system32\drivers\nvraid.sys
    17:25:50.0967 7956 nvraid - ok
    17:25:50.0998 7956 [ 4380E59A170D88C4F1022EFF6719A8A4 ] nvstor C:\Windows\system32\drivers\nvstor.sys
    17:25:50.0998 7956 nvstor - ok
    17:25:51.0029 7956 [ 5A0983915F02BAE73267CC2A041F717D ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
    17:25:51.0029 7956 nv_agp - ok
    17:25:51.0107 7956 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    17:25:51.0107 7956 odserv - ok
    17:25:51.0123 7956 [ 08A70A1F2CDDE9BB49B885CB817A66EB ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
    17:25:51.0138 7956 ohci1394 - ok
    17:25:51.0170 7956 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    17:25:51.0185 7956 ose - ok
    17:25:51.0216 7956 [ 37D3E66567E5082A783BEA33CF69837C ] P1130VID C:\Windows\system32\DRIVERS\P1130Vid.sys
    17:25:51.0216 7956 P1130VID - ok
    17:25:51.0248 7956 [ 82A8521DDC60710C3D3D3E7325209BEC ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
    17:25:51.0263 7956 p2pimsvc - ok
    17:25:51.0279 7956 [ 59C3DDD501E39E006DAC31BF55150D91 ] p2psvc C:\Windows\system32\p2psvc.dll
    17:25:51.0279 7956 p2psvc - ok
    17:25:51.0310 7956 [ 2EA877ED5DD9713C5AC74E8EA7348D14 ] Parport C:\Windows\system32\DRIVERS\parport.sys
    17:25:51.0310 7956 Parport - ok
    17:25:51.0326 7956 [ 3F34A1B4C5F6475F320C275E63AFCE9B ] partmgr C:\Windows\system32\drivers\partmgr.sys
    17:25:51.0326 7956 partmgr - ok
    17:25:51.0341 7956 [ EB0A59F29C19B86479D36B35983DAADC ] Parvdm C:\Windows\system32\DRIVERS\parvdm.sys
    17:25:51.0341 7956 Parvdm - ok
    17:25:51.0372 7956 [ 358AB7956D3160000726574083DFC8A6 ] PcaSvc C:\Windows\System32\pcasvc.dll
    17:25:51.0372 7956 PcaSvc - ok
    17:25:51.0388 7956 [ 673E55C3498EB970088E812EA820AA8F ] pci C:\Windows\system32\drivers\pci.sys
    17:25:51.0388 7956 pci - ok
    17:25:51.0419 7956 [ AFE86F419014DB4E5593F69FFE26CE0A ] pciide C:\Windows\system32\drivers\pciide.sys
    17:25:51.0419 7956 pciide - ok
    17:25:51.0435 7956 [ F396431B31693E71E8A80687EF523506 ] pcmcia C:\Windows\system32\DRIVERS\pcmcia.sys
    17:25:51.0435 7956 pcmcia - ok
    17:25:51.0450 7956 [ 250F6B43D2B613172035C6747AEEB19F ] pcw C:\Windows\system32\drivers\pcw.sys
    17:25:51.0450 7956 pcw - ok
    17:25:51.0482 7956 [ 9E0104BA49F4E6973749A02BF41344ED ] PEAUTH C:\Windows\system32\drivers\peauth.sys
    17:25:51.0497 7956 PEAUTH - ok
    17:25:51.0560 7956 [ 414BBA67A3DED1D28437EB66AEB8A720 ] pla C:\Windows\system32\pla.dll
    17:25:51.0606 7956 pla - ok
    17:25:51.0653 7956 [ EC7BC28D207DA09E79B3E9FAF8B232CA ] PlugPlay C:\Windows\system32\umpnpmgr.dll
    17:25:51.0684 7956 PlugPlay - ok
    17:25:51.0731 7956 [ 63200893C9D5934A7504D20F68276CC7 ] pnarp C:\Windows\system32\DRIVERS\pnarp.sys
    17:25:51.0731 7956 pnarp - ok
    17:25:51.0747 7956 [ 63FF8572611249931EB16BB8EED6AFC8 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
    17:25:51.0762 7956 PNRPAutoReg - ok
    17:25:51.0778 7956 [ 82A8521DDC60710C3D3D3E7325209BEC ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
    17:25:51.0778 7956 PNRPsvc - ok
    17:25:51.0825 7956 [ 896D916DE06F5502D301E8C4DC442AE8 ] Point32 C:\Windows\system32\DRIVERS\point32.sys
    17:25:51.0840 7956 Point32 - ok
    17:25:51.0872 7956 [ 53946B69BA0836BD95B03759530C81EC ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
    17:25:51.0872 7956 PolicyAgent - ok
    17:25:51.0903 7956 [ F87D30E72E03D579A5199CCB3831D6EA ] Power C:\Windows\system32\umpo.dll
    17:25:51.0903 7956 Power - ok
    17:25:51.0934 7956 [ 631E3E205AD6D86F2AED6A4A8E69F2DB ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
    17:25:51.0950 7956 PptpMiniport - ok
    17:25:51.0965 7956 [ 85B1E3A0C7585BC4AAE6899EC6FCF011 ] Processor C:\Windows\system32\DRIVERS\processr.sys
    17:25:51.0965 7956 Processor - ok
    17:25:52.0012 7956 [ CADEFAC453040E370A1BDFF3973BE00D ] ProfSvc C:\Windows\system32\profsvc.dll
    17:25:52.0012 7956 ProfSvc - ok
    17:25:52.0043 7956 [ 81951F51E318AECC2D68559E47485CC4 ] ProtectedStorage C:\Windows\system32\lsass.exe
    17:25:52.0043 7956 ProtectedStorage - ok
    17:25:52.0074 7956 [ 6270CCAE2A86DE6D146529FE55B3246A ] Psched C:\Windows\system32\DRIVERS\pacer.sys
    17:25:52.0074 7956 Psched - ok
    17:25:52.0152 7956 [ 748BCAB4EFF5959ED347C05A1C1A0AF8 ] purendis C:\Windows\system32\DRIVERS\purendis.sys
    17:25:52.0152 7956 purendis - ok
    17:25:52.0199 7956 [ AB95ECF1F6659A60DDC166D8315B0751 ] ql2300 C:\Windows\system32\DRIVERS\ql2300.sys
    17:25:52.0230 7956 ql2300 - ok
    17:25:52.0262 7956 [ B4DD51DD25182244B86737DC51AF2270 ] ql40xx C:\Windows\system32\DRIVERS\ql40xx.sys
    17:25:52.0262 7956 ql40xx - ok
    17:25:52.0293 7956 [ 31AC809E7707EB580B2BDB760390765A ] QWAVE C:\Windows\system32\qwave.dll
    17:25:52.0293 7956 QWAVE - ok
    17:25:52.0308 7956 [ 584078CA1B95CA72DF2A27C336F9719D ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
    17:25:52.0308 7956 QWAVEdrv - ok
    17:25:52.0340 7956 [ 30A81B53C766D0133BB86D234E5556AB ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
    17:25:52.0340 7956 RasAcd - ok
    17:25:52.0371 7956 [ 57EC4AEF73660166074D8F7F31C0D4FD ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
    17:25:52.0371 7956 RasAgileVpn - ok
    17:25:52.0386 7956 [ A60F1839849C0C00739787FD5EC03F13 ] RasAuto C:\Windows\System32\rasauto.dll
    17:25:52.0402 7956 RasAuto - ok
    17:25:52.0433 7956 [ D9F91EAFEC2815365CBE6D167E4E332A ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
    17:25:52.0433 7956 Rasl2tp - ok
    17:25:52.0480 7956 [ CB9E04DC05EACF5B9A36CA276D475006 ] RasMan C:\Windows\System32\rasmans.dll
    17:25:52.0496 7956 RasMan - ok
    17:25:52.0511 7956 [ 0FE8B15916307A6AC12BFB6A63E45507 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
    17:25:52.0511 7956 RasPppoe - ok
    17:25:52.0527 7956 [ 44101F495A83EA6401D886E7FD70096B ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
    17:25:52.0527 7956 RasSstp - ok
    17:25:52.0542 7956 [ D528BC58A489409BA40334EBF96A311B ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
    17:25:52.0542 7956 rdbss - ok
    17:25:52.0558 7956 [ 0D8F05481CB76E70E1DA06EE9F0DA9DF ] rdpbus C:\Windows\system32\DRIVERS\rdpbus.sys
    17:25:52.0558 7956 rdpbus - ok
    17:25:52.0605 7956 [ 23DAE03F29D253AE74C44F99E515F9A1 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
    17:25:52.0605 7956 RDPCDD - ok
    17:25:52.0620 7956 [ 5A53CA1598DD4156D44196D200C94B8A ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
    17:25:52.0636 7956 RDPENCDD - ok
    17:25:52.0636 7956 [ 44B0A53CD4F27D50ED461DAE0C0B4E1F ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
    17:25:52.0636 7956 RDPREFMP - ok
    17:25:52.0683 7956 [ F031683E6D1FEA157ABB2FF260B51E61 ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
    17:25:52.0683 7956 RDPWD - ok
    17:25:52.0730 7956 [ 518395321DC96FE2C9F0E96AC743B656 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
    17:25:52.0730 7956 rdyboost - ok
    17:25:52.0745 7956 [ 7B5E1419717FAC363A31CC302895217A ] RemoteAccess C:\Windows\System32\mprdim.dll
    17:25:52.0761 7956 RemoteAccess - ok
    17:25:52.0776 7956 [ CB9A8683F4EF2BF99E123D79950D7935 ] RemoteRegistry C:\Windows\system32\regsvc.dll
    17:25:52.0792 7956 RemoteRegistry - ok
    17:25:52.0823 7956 [ 78D072F35BC45D9E4E1B61895C152234 ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
    17:25:52.0823 7956 RpcEptMapper - ok
    17:25:52.0839 7956 [ 94D36C0E44677DD26981D2BFEEF2A29D ] RpcLocator C:\Windows\system32\locator.exe
    17:25:52.0839 7956 RpcLocator - ok
    17:25:52.0854 7956 [ 7660F01D3B38ACA1747E397D21D790AF ] RpcSs C:\Windows\system32\rpcss.dll
    17:25:52.0870 7956 RpcSs - ok
    17:25:52.0886 7956 [ 032B0D36AD92B582D869879F5AF5B928 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
    17:25:52.0886 7956 rspndr - ok
    17:25:52.0932 7956 [ 166911EADA13CD34DD8F8C667707BE94 ] RTL8023xp C:\Windows\system32\DRIVERS\Rtnicxp.sys
    17:25:52.0932 7956 RTL8023xp - ok
    17:25:52.0948 7956 [ 442F90838EA6D95080C557A16363A71B ] RTL8167 C:\Windows\system32\DRIVERS\Rt86win7.sys
    17:25:52.0964 7956 RTL8167 - ok
    17:25:52.0979 7956 [ 81951F51E318AECC2D68559E47485CC4 ] SamSs C:\Windows\system32\lsass.exe
    17:25:52.0979 7956 SamSs - ok
    17:25:53.0042 7956 [ 224049C51E2C2D07B02B1BED262976A1 ] SbieDrv C:\Program Files\Sandboxie\SbieDrv.sys
    17:25:53.0042 7956 SbieDrv - ok
    17:25:53.0057 7956 [ 3129023CEF1A2225665D44F9545DAED4 ] SbieSvc C:\Program Files\Sandboxie\SbieSvc.exe
    17:25:53.0057 7956 SbieSvc - ok
    17:25:53.0088 7956 [ 05D860DA1040F111503AC416CCEF2BCA ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
    17:25:53.0104 7956 sbp2port - ok
    17:25:53.0151 7956 [ 794D4B48DFB6E999537C7C3947863463 ] SBSDWSCService C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    17:25:53.0182 7956 SBSDWSCService - ok
    17:25:53.0198 7956 [ 8FC518FFE9519C2631D37515A68009C4 ] SCardSvr C:\Windows\System32\SCardSvr.dll
    17:25:53.0213 7956 SCardSvr - ok
    17:25:53.0229 7956 [ 0693B5EC673E34DC147E195779A4DCF6 ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
    17:25:53.0229 7956 scfilter - ok
    17:25:53.0260 7956 [ A04BB13F8A72F8B6E8B4071723E4E336 ] Schedule C:\Windows\system32\schedsvc.dll
    17:25:53.0291 7956 Schedule - ok
    17:25:53.0322 7956 [ 319C6B309773D063541D01DF8AC6F55F ] SCPolicySvc C:\Windows\System32\certprop.dll
    17:25:53.0322 7956 SCPolicySvc - ok
    17:25:53.0338 7956 [ 08236C4BCE5EDD0A0318A438AF28E0F7 ] SDRSVC C:\Windows\System32\SDRSVC.dll
    17:25:53.0338 7956 SDRSVC - ok
    17:25:53.0369 7956 [ 90A3935D05B494A5A39D37E71F09A677 ] secdrv C:\Windows\system32\drivers\secdrv.sys
    17:25:53.0369 7956 secdrv - ok
    17:25:53.0400 7956 [ A59B3A4442C52060CC7A85293AA3546F ] seclogon C:\Windows\system32\seclogon.dll
    17:25:53.0400 7956 seclogon - ok
    17:25:53.0432 7956 [ DCB7FCDCC97F87360F75D77425B81737 ] SENS C:\Windows\System32\sens.dll
    17:25:53.0432 7956 SENS - ok
    17:25:53.0463 7956 [ 50087FE1EE447009C9CC2997B90DE53F ] SensrSvc C:\Windows\system32\sensrsvc.dll
    17:25:53.0463 7956 SensrSvc - ok
    17:25:53.0478 7956 [ 9AD8B8B515E3DF6ACD4212EF465DE2D1 ] Serenum C:\Windows\system32\DRIVERS\serenum.sys
    17:25:53.0478 7956 Serenum - ok
    17:25:53.0494 7956 [ 5FB7FCEA0490D821F26F39CC5EA3D1E2 ] Serial C:\Windows\system32\DRIVERS\serial.sys
    17:25:53.0510 7956 Serial - ok
    17:25:53.0541 7956 [ 79BFFB520327FF916A582DFEA17AA813 ] sermouse C:\Windows\system32\DRIVERS\sermouse.sys
    17:25:53.0541 7956 sermouse - ok
    17:25:53.0572 7956 [ 4AE380F39A0032EAB7DD953030B26D28 ] SessionEnv C:\Windows\system32\sessenv.dll
    17:25:53.0572 7956 SessionEnv - ok
    17:25:53.0603 7956 [ 9F976E1EB233DF46FCE808D9DEA3EB9C ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
    17:25:53.0603 7956 sffdisk - ok
    17:25:53.0619 7956 [ 932A68EE27833CFD57C1639D375F2731 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
    17:25:53.0619 7956 sffp_mmc - ok
    17:25:53.0634 7956 [ 6D4CCAEDC018F1CF52866BBBAA235982 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
    17:25:53.0634 7956 sffp_sd - ok
    17:25:53.0666 7956 [ DB96666CC8312EBC45032F30B007A547 ] sfloppy C:\Windows\system32\DRIVERS\sfloppy.sys
    17:25:53.0666 7956 sfloppy - ok
    17:25:53.0681 7956 [ D1A079A0DE2EA524513B6930C24527A2 ] SharedAccess C:\Windows\System32\ipnathlp.dll
    17:25:53.0697 7956 SharedAccess - ok
    17:25:53.0728 7956 [ 414DA952A35BF5D50192E28263B40577 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
    17:25:53.0728 7956 ShellHWDetection - ok
    17:25:53.0759 7956 [ 2565CAC0DC9FE0371BDCE60832582B2E ] sisagp C:\Windows\system32\drivers\sisagp.sys
    17:25:53.0759 7956 sisagp - ok
    17:25:53.0790 7956 [ A9F0486851BECB6DDA1D89D381E71055 ] SiSRaid2 C:\Windows\system32\DRIVERS\SiSRaid2.sys
    17:25:53.0790 7956 SiSRaid2 - ok
    17:25:53.0806 7956 [ 3727097B55738E2F554972C3BE5BC1AA ] SiSRaid4 C:\Windows\system32\DRIVERS\sisraid4.sys
    17:25:53.0806 7956 SiSRaid4 - ok
    17:25:53.0837 7956 [ 3E21C083B8A01CB70BA1F09303010FCE ] Smb C:\Windows\system32\DRIVERS\smb.sys
    17:25:53.0837 7956 Smb - ok
    17:25:53.0884 7956 [ C3BF55189AA92B8F919108EF9E4ACCAE ] snapman C:\Windows\system32\DRIVERS\snapman.sys
    17:25:53.0884 7956 snapman - ok
    17:25:53.0915 7956 [ 6A984831644ECA1A33FFEAE4126F4F37 ] SNMPTRAP C:\Windows\System32\snmptrap.exe
    17:25:53.0915 7956 SNMPTRAP - ok
    17:25:53.0931 7956 [ 95CF1AE7527FB70F7816563CBC09D942 ] spldr C:\Windows\system32\drivers\spldr.sys
    17:25:53.0946 7956 spldr - ok
    17:25:53.0978 7956 [ 9AEA093B8F9C37CF45538382CABA2475 ] Spooler C:\Windows\System32\spoolsv.exe
    17:25:53.0978 7956 Spooler - ok
    17:25:54.0071 7956 [ CF87A1DE791347E75B98885214CED2B8 ] sppsvc C:\Windows\system32\sppsvc.exe
    17:25:54.0134 7956 sppsvc - ok
    17:25:54.0165 7956 [ B0180B20B065D89232A78A40FE56EAA6 ] sppuinotify C:\Windows\system32\sppuinotify.dll
    17:25:54.0165 7956 sppuinotify - ok
    17:25:54.0212 7956 [ E4C2764065D66EA1D2D3EBC28FE99C46 ] srv C:\Windows\system32\DRIVERS\srv.sys
    17:25:54.0227 7956 srv - ok
    17:25:54.0243 7956 [ 03F0545BD8D4C77FA0AE1CEEDFCC71AB ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
    17:25:54.0243 7956 srv2 - ok
    17:25:54.0258 7956 [ BE6BD660CAA6F291AE06A718A4FA8ABC ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
    17:25:54.0258 7956 srvnet - ok
    17:25:54.0290 7956 [ D887C9FD02AC9FA880F6E5027A43E118 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
    17:25:54.0290 7956 SSDPSRV - ok
    17:25:54.0305 7956 [ D318F23BE45D5E3A107469EB64815B50 ] SstpSvc C:\Windows\system32\sstpsvc.dll
    17:25:54.0305 7956 SstpSvc - ok
    17:25:54.0352 7956 Steam Client Service - ok
    17:25:54.0383 7956 [ DB32D325C192B801DF274BFD12A7E72B ] stexstor C:\Windows\system32\DRIVERS\stexstor.sys
    17:25:54.0383 7956 stexstor - ok
    17:25:54.0430 7956 [ E1FB3706030FB4578A0D72C2FC3689E4 ] StiSvc C:\Windows\System32\wiaservc.dll
    17:25:54.0430 7956 StiSvc - ok
    17:25:54.0461 7956 [ E58C78A848ADD9610A4DB6D214AF5224 ] swenum C:\Windows\system32\drivers\swenum.sys
    17:25:54.0461 7956 swenum - ok
    17:25:54.0492 7956 [ A28BD92DF340E57B024BA433165D34D7 ] swprv C:\Windows\System32\swprv.dll
    17:25:54.0492 7956 swprv - ok
    17:25:54.0539 7956 [ 36650D618CA34C9D357DFD3D89B2C56F ] SysMain C:\Windows\system32\sysmain.dll
    17:25:54.0570 7956 SysMain - ok
    17:25:54.0602 7956 [ 763FECDC3D30C815FE72DD57936C6CD1 ] TabletInputService C:\Windows\System32\TabSvc.dll
    17:25:54.0602 7956 TabletInputService - ok
    17:25:54.0617 7956 [ 613BF4820361543956909043A265C6AC ] TapiSrv C:\Windows\System32\tapisrv.dll
    17:25:54.0633 7956 TapiSrv - ok
    17:25:54.0648 7956 [ B799D9FDB26111737F58288D8DC172D9 ] TBS C:\Windows\System32\tbssvc.dll
    17:25:54.0648 7956 TBS - ok
    17:25:54.0711 7956 [ A5EBB8F648000E88B7D9390B514976BF ] Tcpip C:\Windows\system32\drivers\tcpip.sys
    17:25:54.0726 7956 Tcpip - ok
    17:25:54.0773 7956 [ A5EBB8F648000E88B7D9390B514976BF ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
    17:25:54.0789 7956 TCPIP6 - ok
    17:25:54.0851 7956 [ CCA24162E055C3714CE5A88B100C64ED ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
    17:25:54.0851 7956 tcpipreg - ok
    17:25:54.0882 7956 [ 1CB91B2BD8F6DD367DFC2EF26FD751B2 ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
    17:25:54.0882 7956 TDPIPE - ok
    17:25:54.0914 7956 [ 3B7B6779EB231F731BBA8F9FE67AADFC ] tdrpman C:\Windows\system32\DRIVERS\tdrpman.sys
    17:25:54.0914 7956 tdrpman - ok
    17:25:54.0960 7956 [ 2C2C5AFE7EE4F620D69C23C0617651A8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
    17:25:54.0960 7956 TDTCP - ok
    17:25:54.0992 7956 [ B459575348C20E8121D6039DA063C704 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
    17:25:54.0992 7956 tdx - ok
    17:25:55.0023 7956 [ 04DBF4B01EA4BF25A9A3E84AFFAC9B20 ] TermDD C:\Windows\system32\drivers\termdd.sys
    17:25:55.0023 7956 TermDD - ok
    17:25:55.0070 7956 [ 382C804C92811BE57829D8E550A900E2 ] TermService C:\Windows\System32\termsrv.dll
    17:25:55.0070 7956 TermService - ok
    17:25:55.0101 7956 [ 42FB6AFD6B79D9FE07381609172E7CA4 ] Themes C:\Windows\system32\themeservice.dll
    17:25:55.0101 7956 Themes - ok
    17:25:55.0116 7956 [ 146B6F43A673379A3C670E86D89BE5EA ] THREADORDER C:\Windows\system32\mmcss.dll
    17:25:55.0116 7956 THREADORDER - ok
    17:25:55.0132 7956 [ B0B3122BFF3910E0BA97014045467778 ] tifsfilter C:\Windows\system32\DRIVERS\tifsfilt.sys
    17:25:55.0132 7956 tifsfilter - ok
    17:25:55.0148 7956 [ 13BFE330880AC0CE8672D00AA5AFF738 ] timounter C:\Windows\system32\DRIVERS\timntr.sys
    17:25:55.0148 7956 timounter - ok
    17:25:55.0179 7956 [ 4792C0378DB99A9BC2AE2DE6CFFF0C3A ] TrkWks C:\Windows\System32\trkwks.dll
    17:25:55.0179 7956 TrkWks - ok
    17:25:55.0226 7956 [ 2C49B175AEE1D4364B91B531417FE583 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
    17:25:55.0226 7956 TrustedInstaller - ok
    17:25:55.0257 7956 [ BC236BBB0B16049392E020E53F17D04C ] TryAndDecideService C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
    17:25:55.0272 7956 TryAndDecideService - ok
    17:25:55.0288 7956 [ 254BB140EEE3C59D6114C1A86B636877 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
    17:25:55.0288 7956 tssecsrv - ok
    17:25:55.0350 7956 [ FD1D6C73E6333BE727CBCC6054247654 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
    17:25:55.0350 7956 TsUsbFlt - ok
    17:25:55.0397 7956 [ B2FA25D9B17A68BB93D58B0556E8C90D ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
    17:25:55.0413 7956 tunnel - ok
    17:25:55.0428 7956 [ 750FBCB269F4D7DD2E420C56B795DB6D ] uagp35 C:\Windows\system32\DRIVERS\uagp35.sys
    17:25:55.0428 7956 uagp35 - ok
    17:25:55.0460 7956 [ EE43346C7E4B5E63E54F927BABBB32FF ] udfs C:\Windows\system32\DRIVERS\udfs.sys
    17:25:55.0460 7956 udfs - ok
    17:25:55.0491 7956 [ 8344FD4FCE927880AA1AA7681D4927E5 ] UI0Detect C:\Windows\system32\UI0Detect.exe
    17:25:55.0491 7956 UI0Detect - ok
    17:25:55.0522 7956 [ 44E8048ACE47BEFBFDC2E9BE4CBC8880 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
    17:25:55.0522 7956 uliagpkx - ok
    17:25:55.0569 7956 [ D295BED4B898F0FD999FCFA9B32B071B ] umbus C:\Windows\system32\drivers\umbus.sys
    17:25:55.0584 7956 umbus - ok
    17:25:55.0600 7956 [ 7550AD0C6998BA1CB4843E920EE0FEAC ] UmPass C:\Windows\system32\DRIVERS\umpass.sys
    17:25:55.0600 7956 UmPass - ok
    17:25:55.0631 7956 [ 833FBB672460EFCE8011D262175FAD33 ] upnphost C:\Windows\System32\upnphost.dll
    17:25:55.0631 7956 upnphost - ok
    17:25:55.0662 7956 [ BD9C55D7023C5DE374507ACC7A14E2AC ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
    17:25:55.0662 7956 usbccgp - ok
    17:25:55.0694 7956 [ 04EC7CEC62EC3B6D9354EEE93327FC82 ] usbcir C:\Windows\system32\drivers\usbcir.sys
    17:25:55.0709 7956 usbcir - ok
    17:25:55.0725 7956 [ F92DE757E4B7CE9C07C5E65423F3AE3B ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
    17:25:55.0725 7956 usbehci - ok
    17:25:55.0756 7956 [ 8DC94AEC6A7E644A06135AE7506DC2E9 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
    17:25:55.0772 7956 usbhub - ok
    17:25:55.0787 7956 [ E185D44FAC515A18D9DEDDC23C2CDF44 ] usbohci C:\Windows\system32\drivers\usbohci.sys
    17:25:55.0803 7956 usbohci - ok
    17:25:55.0818 7956 [ 797D862FE0875E75C7CC4C1AD7B30252 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
    17:25:55.0818 7956 usbprint - ok
    17:25:55.0850 7956 [ 576096CCBC07E7C4EA4F5E6686D6888F ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
    17:25:55.0850 7956 usbscan - ok
    17:25:55.0865 7956 [ F991AB9CC6B908DB552166768176896A ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
    17:25:55.0865 7956 USBSTOR - ok
    17:25:55.0865 7956 [ 68DF884CF41CDADA664BEB01DAF67E3D ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
    17:25:55.0881 7956 usbuhci - ok
    17:25:55.0896 7956 [ 081E6E1C91AEC36758902A9F727CD23C ] UxSms C:\Windows\System32\uxsms.dll
    17:25:55.0912 7956 UxSms - ok
    17:25:55.0912 7956 [ 81951F51E318AECC2D68559E47485CC4 ] VaultSvc C:\Windows\system32\lsass.exe
    17:25:55.0928 7956 VaultSvc - ok
    17:25:55.0943 7956 [ A059C4C3EDB09E07D21A8E5C0AABD3CB ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
    17:25:55.0943 7956 vdrvroot - ok
    17:25:55.0990 7956 [ C3CD30495687C2A2F66A65CA6FD89BE9 ] vds C:\Windows\System32\vds.exe
    17:25:56.0006 7956 vds - ok
    17:25:56.0021 7956 [ 17C408214EA61696CEC9C66E388B14F3 ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
    17:25:56.0021 7956 vga - ok
    17:25:56.0037 7956 [ 8E38096AD5C8570A6F1570A61E251561 ] VgaSave C:\Windows\System32\drivers\vga.sys
    17:25:56.0037 7956 VgaSave - ok
    17:25:56.0068 7956 [ 5461686CCA2FDA57B024547733AB42E3 ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
    17:25:56.0068 7956 vhdmp - ok
    17:25:56.0099 7956 [ C829317A37B4BEA8F39735D4B076E923 ] viaagp C:\Windows\system32\drivers\viaagp.sys
    17:25:56.0099 7956 viaagp - ok
    17:25:56.0115 7956 [ E02F079A6AA107F06B16549C6E5C7B74 ] ViaC7 C:\Windows\system32\DRIVERS\viac7.sys
    17:25:56.0115 7956 ViaC7 - ok
    17:25:56.0130 7956 [ E43574F6A56A0EE11809B48C09E4FD3C ] viaide C:\Windows\system32\drivers\viaide.sys
    17:25:56.0130 7956 viaide - ok
    17:25:56.0146 7956 [ 4C63E00F2F4B5F86AB48A58CD990F212 ] volmgr C:\Windows\system32\drivers\volmgr.sys
    17:25:56.0146 7956 volmgr - ok
    17:25:56.0162 7956 [ B5BB72067DDDDBBFB04B2F89FF8C3C87 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
    17:25:56.0162 7956 volmgrx - ok
    17:25:56.0177 7956 [ F497F67932C6FA693D7DE2780631CFE7 ] volsnap C:\Windows\system32\drivers\volsnap.sys
    17:25:56.0177 7956 volsnap - ok
    17:25:56.0208 7956 [ 9DFA0CC2F8855A04816729651175B631 ] vsmraid C:\Windows\system32\DRIVERS\vsmraid.sys
    17:25:56.0208 7956 vsmraid - ok
    17:25:56.0255 7956 [ 209A3B1901B83AEB8527ED211CCE9E4C ] VSS C:\Windows\system32\vssvc.exe
    17:25:56.0271 7956 VSS - ok
    17:25:56.0286 7956 [ 90567B1E658001E79D7C8BBD3DDE5AA6 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys
    17:25:56.0286 7956 vwifibus - ok
    17:25:56.0318 7956 [ 55187FD710E27D5095D10A472C8BAF1C ] W32Time C:\Windows\system32\w32time.dll
    17:25:56.0318 7956 W32Time - ok
    17:25:56.0380 7956 [ 57C8C20BFA5BEF6BD851EBAC67A8CED0 ] W3SVC C:\Windows\system32\inetsrv\iisw3adm.dll
    17:25:56.0380 7956 W3SVC - ok
    17:25:56.0411 7956 [ DE3721E89C653AA281428C8A69745D90 ] WacomPen C:\Windows\system32\DRIVERS\wacompen.sys
    17:25:56.0411 7956 WacomPen - ok
    17:25:56.0458 7956 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
    17:25:56.0458 7956 WANARP - ok
    17:25:56.0458 7956 [ 3C3C78515F5AB448B022BDF5B8FFDD2E ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
    17:25:56.0458 7956 Wanarpv6 - ok
    17:25:56.0474 7956 [ 57C8C20BFA5BEF6BD851EBAC67A8CED0 ] WAS C:\Windows\system32\inetsrv\iisw3adm.dll
    17:25:56.0474 7956 WAS - ok
    17:25:56.0520 7956 [ 353A04C273EC58475D8633E75CCD5604 ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
    17:25:56.0552 7956 WatAdminSvc - ok
    17:25:56.0614 7956 [ 691E3285E53DCA558E1A84667F13E15A ] wbengine C:\Windows\system32\wbengine.exe
    17:25:56.0630 7956 wbengine - ok
    17:25:56.0661 7956 [ 9614B5D29DC76AC3C29F6D2D3AA70E67 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
    17:25:56.0661 7956 WbioSrvc - ok
    17:25:56.0692 7956 [ 34EEE0DFAADB4F691D6D5308A51315DC ] wcncsvc C:\Windows\System32\wcncsvc.dll
    17:25:56.0708 7956 wcncsvc - ok
    17:25:56.0723 7956 [ 5D930B6357A6D2AF4D7653BDABBF352F ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
    17:25:56.0723 7956 WcsPlugInService - ok
    17:25:56.0739 7956 [ 1112A9BADACB47B7C0BB0392E3158DFF ] Wd C:\Windows\system32\DRIVERS\wd.sys
    17:25:56.0739 7956 Wd - ok
    17:25:56.0770 7956 [ 9950E3D0F08141C7E89E64456AE7DC73 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
    17:25:56.0770 7956 Wdf01000 - ok
    17:25:56.0786 7956 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiServiceHost C:\Windows\system32\wdi.dll
    17:25:56.0786 7956 WdiServiceHost - ok
    17:25:56.0786 7956 [ 46EF9DC96265FD0B423DB72E7C38C2A5 ] WdiSystemHost C:\Windows\system32\wdi.dll
    17:25:56.0786 7956 WdiSystemHost - ok
    17:25:56.0832 7956 [ A9D880F97530D5B8FEE278923349929D ] WebClient C:\Windows\System32\webclnt.dll
    17:25:56.0832 7956 WebClient - ok
    17:25:56.0864 7956 [ 760F0AFE937A77CFF27153206534F275 ] Wecsvc C:\Windows\system32\wecsvc.dll
    17:25:56.0879 7956 Wecsvc - ok
    17:25:56.0895 7956 [ AC804569BB2364FB6017370258A4091B ] wercplsupport C:\Windows\System32\wercplsupport.dll
    17:25:56.0895 7956 wercplsupport - ok
    17:25:56.0910 7956 [ 08E420D873E4FD85241EE2421B02C4A4 ] WerSvc C:\Windows\System32\WerSvc.dll
    17:25:56.0926 7956 WerSvc - ok
    17:25:56.0957 7956 [ 8B9A943F3B53861F2BFAF6C186168F79 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
    17:25:56.0957 7956 WfpLwf - ok
    17:25:56.0973 7956 [ 5CF95B35E59E2A38023836FFF31BE64C ] WIMMount C:\Windows\system32\drivers\wimmount.sys
    17:25:56.0973 7956 WIMMount - ok
    17:25:57.0020 7956 [ 3FAE8F94296001C32EAB62CD7D82E0FD ] WinDefend C:\Program Files\Windows Defender\mpsvc.dll
    17:25:57.0035 7956 WinDefend - ok
    17:25:57.0051 7956 WinHttpAutoProxySvc - ok
    17:25:57.0098 7956 [ F62E510B6AD4C21EB9FE8668ED251826 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
    17:25:57.0098 7956 Winmgmt - ok
    17:25:57.0160 7956 [ 1B91CD34EA3A90AB6A4EF0550174F4CC ] WinRM C:\Windows\system32\WsmSvc.dll
    17:25:57.0191 7956 WinRM - ok
    17:25:57.0238 7956 [ A67E5F9A400F3BD1BE3D80613B45F708 ] WinUsb C:\Windows\system32\DRIVERS\WinUsb.sys
    17:25:57.0254 7956 WinUsb - ok
    17:25:57.0269 7956 [ 16935C98FF639D185086A3529B1F2067 ] Wlansvc C:\Windows\System32\wlansvc.dll
    17:25:57.0300 7956 Wlansvc - ok
    17:25:57.0394 7956 [ 6067ACEF367E79914AF628FA1E9B5330 ] wlcrasvc C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
    17:25:57.0394 7956 wlcrasvc - ok
    17:25:57.0456 7956 [ 0A70F4022EC2E14C159EFC4F69AA2477 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    17:25:57.0488 7956 wlidsvc - ok
    17:25:57.0519 7956 [ 84A90F13EEBF4380345EF9474D30F10E ] WmBEnum C:\Windows\system32\drivers\WmBEnum.sys
    17:25:57.0519 7956 WmBEnum - ok
    17:25:57.0534 7956 [ EB0034AC02A44DC784A3174D2B81E764 ] WmFilter C:\Windows\system32\drivers\WmFilter.sys
    17:25:57.0534 7956 WmFilter - ok
    17:25:57.0566 7956 [ 0217679B8FCA58714C3BF2726D2CA84E ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
    17:25:57.0566 7956 WmiAcpi - ok
    17:25:57.0597 7956 [ 6EB6B66517B048D87DC1856DDF1F4C3F ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
    17:25:57.0597 7956 wmiApSrv - ok
    17:25:57.0675 7956 [ 3B40D3A61AA8C21B88AE57C58AB3122E ] WMPNetworkSvc C:\Program Files\Windows Media Player\wmpnetwk.exe
    17:25:57.0690 7956 WMPNetworkSvc - ok
    17:25:57.0722 7956 [ 72C4F5A748C74D8D4016CCFA7367210F ] WmVirHid C:\Windows\system32\drivers\WmVirHid.sys
    17:25:57.0722 7956 WmVirHid - ok
    17:25:57.0737 7956 [ EACDCCED934A185E61CE0684F71C2DEC ] WmXlCore C:\Windows\system32\drivers\WmXlCore.sys
    17:25:57.0737 7956 WmXlCore - ok
    17:25:57.0768 7956 [ A2F0EC770A92F2B3F9DE6D518E11409C ] WPCSvc C:\Windows\System32\wpcsvc.dll
    17:25:57.0768 7956 WPCSvc - ok
    17:25:57.0800 7956 [ AA53356D60AF47EACC85BC617A4F3F66 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
    17:25:57.0800 7956 WPDBusEnum - ok
    17:25:57.0815 7956 WPFFontCache_v0400 - ok
    17:25:57.0831 7956 [ 6DB3276587B853BF886B69528FDB048C ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
    17:25:57.0831 7956 ws2ifsl - ok
    17:25:57.0846 7956 [ 6F5D49EFE0E7164E03AE773A3FE25340 ] wscsvc C:\Windows\System32\wscsvc.dll
    17:25:57.0846 7956 wscsvc - ok
    17:25:57.0862 7956 WSearch - ok
    17:25:57.0971 7956 [ FC3EC24FCE372C89423E015A2AC1A31E ] wuauserv C:\Windows\system32\wuaueng.dll
    17:25:58.0002 7956 wuauserv - ok
    17:25:58.0049 7956 [ E714A1C0354636837E20CCBF00888EE7 ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
    17:25:58.0049 7956 WudfPf - ok
    17:25:58.0080 7956 [ 1023EE888C9B47178C5293ED5336AB69 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
    17:25:58.0080 7956 WUDFRd - ok
    17:25:58.0112 7956 [ 8D1E1E529A2C9E9B6A85B55A345F7629 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
    17:25:58.0112 7956 wudfsvc - ok
    17:25:58.0143 7956 [ FF2D745B560F7C71B31F30F4D49F73D2 ] WwanSvc C:\Windows\System32\wwansvc.dll
    17:25:58.0143 7956 WwanSvc - ok
    17:25:58.0205 7956 [ DD0042F0C3B606A6A8B92D49AFB18AD6 ] YahooAUService C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    17:25:58.0221 7956 YahooAUService - ok
    17:25:58.0236 7956 ================ Scan global ===============================
    17:25:58.0268 7956 [ DAB748AE0439955ED2FA22357533DDDB ] C:\Windows\system32\basesrv.dll
    17:25:58.0299 7956 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll
    17:25:58.0314 7956 [ 183B4188D5D91B271613EC3EFD1B3CEF ] C:\Windows\system32\winsrv.dll
    17:25:58.0330 7956 [ 364455805E64882844EE9ACB72522830 ] C:\Windows\system32\sxssrv.dll
    17:25:58.0377 7956 [ 5F1B6A9C35D3D5CA72D6D6FDEF9747D6 ] C:\Windows\system32\services.exe
    17:25:58.0392 7956 [Global] - ok
    17:25:58.0392 7956 ================ Scan MBR ==================================
    17:25:58.0392 7956 [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
    17:25:58.0486 7956 \Device\Harddisk0\DR0 - ok
    17:25:58.0486 7956 ================ Scan VBR ==================================
    17:25:58.0486 7956 [ 4882763ADB0E123279684ABF87290E0F ] \Device\Harddisk0\DR0\Partition1
    17:25:58.0502 7956 \Device\Harddisk0\DR0\Partition1 - ok
    17:25:58.0502 7956 ============================================================
    17:25:58.0502 7956 Scan finished
    17:25:58.0502 7956 ============================================================
    17:25:58.0502 2332 Detected object count: 0
    17:25:58.0502 2332 Actual detected object count: 0
     
  16. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    RogueKiller V8.0.4 [09/19/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : HP_Owner [Admin rights]
    Mode : Remove -- Date : 09/22/2012 17:47:52
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 3 ¤¤¤
    [TASK][SUSP PATH] {8AE4A92B-B8EB-4396-B731-4D3579BAB3A2} : C:\Users\HP_Owner\Desktop\setupen.exe -> DELETED
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{bb55aac3-8517-4194-6faf-9e90e996ae36}\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{bb55aac3-8517-4194-6faf-9e90e996ae36}\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\HP_Owner\AppData\Local\{bb55aac3-8517-4194-6faf-9e90e996ae36}\U --> REMOVED
    [Del.Parent][FILE] 00000004.@ : C:\Users\HP_Owner\AppData\Local\{bb55aac3-8517-4194-6faf-9e90e996ae36}\L\00000004.@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\HP_Owner\AppData\Local\{bb55aac3-8517-4194-6faf-9e90e996ae36}\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Windows\system32\config\systemprofile\Local Settings\Application Data\{bb55aac3-8517-4194-6faf-9e90e996ae36}\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Windows\system32\config\systemprofile\Local Settings\Application Data\{bb55aac3-8517-4194-6faf-9e90e996ae36}\L --> REMOVED
    [ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$bb55aac3851741946faf9e90e996ae36\@ --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$bb55aac3851741946faf9e90e996ae36\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\$recycle.bin\S-1-5-18\$bb55aac3851741946faf9e90e996ae36\L --> REMOVED
    ¤¤¤ Driver : [LOADED] ¤¤¤
    _INLINE_ : NtTraceEvent -> HOOKED (Unknown @ 0x8310363A)
    ¤¤¤ Infection : ZeroAccess ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    [...]

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: ST3250318AS ATA Device +++++
    --- User ---
    [MBR] 6e7de95dad4e19bb7e44c88b8c00d346
    [BSP] cd27ed3eb96aab5c994ff939e1f9cca6 : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238475 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
     
  17. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-09-22 17:51:27
    -----------------------------
    17:51:27.411 OS Version: Windows 6.1.7601 Service Pack 1
    17:51:27.411 Number of processors: 2 586 0x170A
    17:51:27.411 ComputerName: DESKTOP UserName:
    17:51:30.141 Initialize success
    17:53:39.839 AVAST engine defs: 12092201
    17:53:53.739 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
    17:53:53.739 Disk 0 Vendor: ST3250318AS CC38 Size: 238475MB BusType: 3
    17:53:53.754 Disk 0 MBR read successfully
    17:53:53.754 Disk 0 MBR scan
    17:53:53.770 Disk 0 Windows 7 default MBR code
    17:53:53.770 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238475 MB offset 63
    17:53:53.786 Disk 0 scanning sectors +488397168
    17:53:53.801 Disk 0 scanning C:\Windows\system32\drivers
    17:54:04.674 Service scanning
    17:54:15.080 Service MpKsl47b2f2c7 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F77B33D2-67B9-4E11-ADD0-C80A07317CF4}\MpKsl47b2f2c7.sys **LOCKED** 32
    17:54:28.574 Modules scanning
    17:54:33.956 Disk 0 trace - called modules:
    17:54:33.987 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
    17:54:33.987 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86007958]
    17:54:34.003 3 CLASSPNP.SYS[8969359e] -> nt!IofCallDriver -> [0x85f27918]
    17:54:34.003 5 ACPI.sys[88ec73d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0x85f25030]
    17:54:38.464 AVAST engine scan C:\Windows
    17:54:40.867 AVAST engine scan C:\Windows\system32
    17:58:01.842 AVAST engine scan C:\Windows\system32\drivers
    17:58:20.780 AVAST engine scan C:\Users\HP_Owner
    18:11:57.257 AVAST engine scan C:\ProgramData
    18:29:01.852 Scan finished successfully
    18:30:19.602 Disk 0 MBR has been saved successfully to "C:\Users\HP_Owner\Desktop\MBR.dat"
    18:30:19.618 The log file has been saved successfully to "C:\Users\HP_Owner\Desktop\aswMBR.txt"
     
  18. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ===============================

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If restarting doesn't help use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  19. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Rkill 2.4.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 09/23/2012 11:51:55 AM in x86 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1
    Checking for Windows services to stop:
    * No malware services found to stop.
    Checking for processes to terminate:
    * No malware processes found to kill.
    Possibly Patched Files.
    * C:\Windows\system32\winlogon.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\System32\svchost.exe
    * C:\Windows\System32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\System32\svchost.exe
    Checking Registry for malware related settings:
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    Performing miscellaneous checks:
    * No issues found.
    Checking Windows Service Integrity:
    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    Searching for Missing Digital Signatures:
    * C:\Windows\System32\svchost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe : 20,992 : 07/13/2009 06:14 PM : 54a47f6b5e09a77e61649109c6a08866 [Pos Repl]
    * C:\Windows\System32\winlogon.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe : 286,720 : 11/20/2010 06:17 AM : 6d13e1406f50c66e2a95d97f22c47560 [Pos Repl]
    * C:\Windows\explorer.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe : 2,616,320 : 11/20/2010 06:17 AM : 40d777b7a95e00593eb1568c68514493 [Pos Repl]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe : 2,616,320 : 02/24/2011 09:30 PM : 8b88ebbb05a0e56b7dcc708498c02b3e [Pos Repl]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe : 2,616,320 : 02/25/2011 09:19 PM : 0fb9c74046656d1579a64660ad67b746 [Pos Repl]
    Checking HOSTS File:
    * HOSTS file entries found:
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    20 out of 15123 HOSTS entries shown.
    Please review HOSTS file for further entries.
    Program finished at: 09/23/2012 11:55:55 AM
    Execution time: 0 hours(s), 3 minute(s), and 59 seconds(s)
     
  20. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Combofix will not complete to produce log file. It hangs at about 90 seconds. I have left it to run for over 2 hours, but the system clock is not even moving. Tried it a few times (even the alternate method outlined above), but had to hard-boot to restart the system.
     
  21. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Try to run Combofix anyway.
     
  22. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Sorry - I meant Combofix. It just hangs up.
    (I went back and edited my last post)
     
  23. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Try rKill and Combofix from safe mode.
     
  24. A_Wisdom

    A_Wisdom TS Rookie Topic Starter Posts: 36

    Tried rKill and Combofix in Safe Mode.
    rKill ran fine, but Combofix gave me a message to dissable Microsoft Security Essentials. Everything I did to disable it was having no effect and Combofix was still giving me the same message. I uninstalled Microsoft Security Essentials, re-ran rKill (log file below), and then tried to run Combofix again. The system clock locked at 72 minutes, but I left it to run for 2 hours before I had to hard-boot the computer again.

    Rkill 2.4.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 09/23/2012 01:42:02 PM in x86 mode.
    Windows Version: Windows 7 Home Premium Service Pack 1
    Checking for Windows services to stop:
    * No malware services found to stop.
    Checking for processes to terminate:
    * No malware processes found to kill.
    Possibly Patched Files.
    * C:\Windows\system32\winlogon.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\System32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\system32\svchost.exe
    * C:\Windows\System32\svchost.exe
    * C:\Windows\system32\svchost.exe
    Checking Registry for malware related settings:
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    Performing miscellaneous checks:
    * No issues found.
    Checking Windows Service Integrity:
    * COM+ Event System (EventSystem) is not Running.
    Startup Type set to: Automatic
    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    * Windows Update (wuauserv) is not Running.
    Startup Type set to: Automatic (Delayed Start)
    Searching for Missing Digital Signatures:
    * C:\Windows\System32\svchost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe : 20,992 : 07/13/2009 06:14 PM : 54a47f6b5e09a77e61649109c6a08866 [Pos Repl]
    * C:\Windows\System32\winlogon.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe : 286,720 : 11/20/2010 06:17 AM : 6d13e1406f50c66e2a95d97f22c47560 [Pos Repl]
    * C:\Windows\explorer.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe : 2,616,320 : 11/20/2010 06:17 AM : 40d777b7a95e00593eb1568c68514493 [Pos Repl]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe : 2,616,320 : 02/24/2011 09:30 PM : 8b88ebbb05a0e56b7dcc708498c02b3e [Pos Repl]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe : 2,616,320 : 02/25/2011 09:19 PM : 0fb9c74046656d1579a64660ad67b746 [Pos Repl]
    Checking HOSTS File:
    * HOSTS file entries found:
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    20 out of 15123 HOSTS entries shown.
    Please review HOSTS file for further entries.
    Program finished at: 09/23/2012 01:45:42 PM
    Execution time: 0 hours(s), 3 minute(s), and 40 seconds(s)
     
  25. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.