Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ZeroAccess.hp removal

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ZeroAccess.hp removal

Unread postby k_ramesh » February 1st, 2013, 1:11 pm

Hi,

My laptop was infected with ZeroAccess.hv and ZeroAccess.hp trojans. After lot of searches with internet i was able to
clean it with standalone virus cleaning from Kaspersky and Combo fix. I wanted to run through the experts of this forum from
the below posted logs that my laptop is virus/trojan free. Let me know whether i can uninstall Combofix from my laptop.

Appreciate experts comments

Thanks.
kr/-
PS: Just i have registered for Malware Removal forum..

Operating system is Microsoft Windows 7 - 64bit with all security patches installed.
Anti-virus installed is Mcafee.

DDS log

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.11.2
Run by kramesh at 0:41:05 on 2013-02-02
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.65.1033.18.8052.6392 [GMT 8:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Conexant\SA3\CxUtilSvc.exe
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
C:\Program Files\Microsoft Device Center\itype.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
C:\Program Files\Microsoft Device Center\ipoint.exe
C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Conexant\SA3\SmartAudio3.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayAlert.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Program Files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www1.ap.dell.com/content/default ... l=en&s=gen
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20130131145251.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Face recognition web login for FastAccess: {DA5BCE70-D057-4D63-943D-5F3927EC59F1} - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [FATrayAlert] C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [FAStartup] <no file>
StartupFolder: C:\Users\kramesh\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\_UNINS~1.LNK - C:\Users\kramesh\AppData\Local\Temp\_uninst_37614240.bat
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~3\Office15\ONBttnIE.dll/105
IE: Send to Bluetooth - C:\Program Files (x86)\Intel\Bluetooth\btSendToObject.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwar ... TSUEng.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwar ... PIDPDE.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.co ... .5.1.0.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwar ... /CTPID.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{B67CA45B-DF54-4686-BC12-003B9FCE1D8F} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{B67CA45B-DF54-4686-BC12-003B9FCE1D8F}\24C627843756 : DHCPNameServer = 4.2.2.2 8.8.8.8
TCP: Interfaces\{B67CA45B-DF54-4686-BC12-003B9FCE1D8F}\B627 : DHCPNameServer = 165.21.83.88 165.21.100.88
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: FastAccess - C:\Program Files (x86)\Sensible Vision\Fast Access\FALogNot.dll
AppInit_DLLs= C:\Windows\SysWOW64\nvinit.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages = scecli FAPassSync
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20130131145251.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: Face recognition web login for FastAccess: {DA5BCE70-D057-4D63-943D-5F3927EC59F1} - C:\Program Files (x86)\Sensible Vision\Fast Access\x64\FAIESSO.dll
x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs"
x64-Run: [Stage Remote] C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe -Quiet
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-Run: [IntelliType Pro] "C:\Program Files\Microsoft Device Center\itype.exe"
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft Device Center\ipoint.exe"
x64-Run: [SmartAudio] C:\Program Files\CONEXANT\SA3\SACpl.exe /sa3 /nv:3.0+ /dne /s
x64-Run: [BLEServicesCtrl] C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
x64-Run: [BTMTrayAgent] rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\kramesh\AppData\Roaming\Mozilla\Firefox\Profiles\74yb0jmc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1167637.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2013-01-10 13:08; admin@indiarailinfo.com; C:\Users\kramesh\AppData\Roaming\Mozilla\Firefox\Profiles\74yb0jmc.default\extensions\admin@indiarailinfo.com.xpi
FF - ExtSQL: 2013-01-30 07:51; {D19CA586-DD6C-4a0a-96F8-14644F340D60}; C:\Program Files (x86)\Common Files\McAfee\SystemCore
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2012-12-4 20024]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2011-3-14 771096]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2011-3-14 339776]
R0 nvpciflt;nvpciflt;C:\Windows\System32\drivers\nvpciflt.sys [2013-1-6 30648]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-5-13 249648]
R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-11-6 1120192]
R2 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2012-11-6 1361856]
R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2012-11-6 1140672]
R2 CxUtilSvc;CxUtilSvc;C:\Program Files\CONEXANT\SA3\CxUtilSvc.exe [2012-6-14 109184]
R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2012-6-23 166400]
R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2012-6-23 128512]
R2 FAService;FAService;C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe [2012-2-14 2451440]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-6-14 13592]
R2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-1-11 627936]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-9-28 201304]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-9-28 201304]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-9-28 201304]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-6-14 241016]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-6-14 218320]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2012-6-14 182312]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-26 2823000]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-3-23 87040]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-29 38608]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-6-14 1695040]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\System32\drivers\TurboB.sys [2010-11-30 16120]
R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-6-14 363800]
R3 btmaux;Intel Bluetooth Auxiliary Service;C:\Windows\System32\drivers\btmaux.sys [2012-10-30 131968]
R3 btmhsf;btmhsf;C:\Windows\System32\drivers\btmhsf.sys [2012-11-6 1345920]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2011-3-14 69672]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-8-21 176000]
R3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2012-10-20 196440]
R3 ibtfltcoex;ibtfltcoex;C:\Windows\System32\drivers\iBtFltCoex.sys [2012-8-6 68136]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2012-6-14 331264]
R3 iusb3hub;Intel(R) USB 3.0 Hub Driver;C:\Windows\System32\drivers\iusb3hub.sys [2012-12-4 358456]
R3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;C:\Windows\System32\drivers\iusb3xhc.sys [2012-12-4 791608]
R3 iwdbus;IWD Bus Enumerator;C:\Windows\System32\drivers\iwdbus.sys [2011-12-21 25496]
R3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2012-6-21 104560]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2011-3-14 309400]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2011-3-14 515528]
R3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;C:\Windows\System32\drivers\RtsUVStor.sys [2012-6-14 313448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-19 138576]
S2 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-4-10 166912]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]
S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;C:\Windows\System32\drivers\amppal.sys [2012-1-9 195584]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-6-8 191752]
S3 FACAP;facap, FastAccess Video Capture;C:\Windows\System32\drivers\facap.sys [2008-9-25 238848]
S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]
S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\Windows\System32\drivers\intelaud.sys [2011-12-21 34200]
S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-6-14 224704]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2011-3-14 106112]
S3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;C:\Windows\System32\drivers\nvstusb.sys [2012-6-14 300864]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2012-10-1 178824]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-10-25 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-10-25 57856]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-10-25 30208]
S3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2010-11-30 149504]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-6-19 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-9-28 201304]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-23 57184]
.
=============== Created Last 30 ================
.
2013-01-31 13:29:36 -------- d-----w- C:\Users\kramesh\AppData\Roaming\Wireshark
2013-01-31 13:29:01 -------- d-----w- C:\Program Files (x86)\WinPcap
2013-01-31 13:28:42 -------- d-----w- C:\Program Files\Wireshark
2013-01-31 06:52:51 33944 ----a-w- C:\Program Files (x86)\Mozilla Firefox\ScriptFF.dll
2013-01-31 06:27:55 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-31 06:16:01 98816 ----a-w- C:\Windows\sed.exe
2013-01-31 06:16:01 256000 ----a-w- C:\Windows\PEV.exe
2013-01-31 06:16:01 208896 ----a-w- C:\Windows\MBR.exe
2013-01-31 00:34:39 328704 ----a-w- C:\Windows\System32\Services.exe
2013-01-30 18:11:09 -------- d-----w- C:\ProgramData\Kaspersky Lab
2013-01-30 16:42:40 -------- d-----w- C:\Users\kramesh\AppData\Local\Avg2013
2013-01-30 14:53:20 -------- d-----w- C:\Users\kramesh\AppData\Roaming\Malwarebytes
2013-01-30 14:53:08 -------- d-----w- C:\ProgramData\Malwarebytes
2013-01-30 10:22:42 -------- d-----w- C:\Users\kramesh\AppData\Roaming\TuneUp Software
2013-01-30 10:05:12 -------- d--h--w- C:\ProgramData\Common Files
2013-01-30 10:05:12 -------- d-----w- C:\Users\kramesh\AppData\Local\MFAData
2013-01-30 10:05:12 -------- d-----w- C:\ProgramData\MFAData
2013-01-30 00:59:30 16200 ----a-w- C:\Windows\stinger.sys
2013-01-30 00:58:56 -------- d-----w- C:\Program Files (x86)\stinger
2013-01-27 17:00:08 -------- d-----w- C:\Users\kramesh\AppData\Roaming\Prodiance
2013-01-18 16:51:34 -------- d-----w- C:\Program Files\WDCSAM
2013-01-18 15:56:19 -------- d-----w- C:\ProgramData\Western Digital
2013-01-18 15:26:19 -------- d-----w- C:\Users\kramesh\AppData\Local\Western Digital
2013-01-14 15:22:30 2784416 ----a-w- C:\Windows\System32\UCI64A06.DLL
2013-01-14 15:22:29 1578656 ----a-w- C:\Windows\System32\CX64AP66.dll
2013-01-14 14:19:34 -------- d-----w- C:\Users\kramesh\AppData\Local\{7EDD5E0C-48C2-45CB-8271-B043E29B27F2}
2013-01-14 14:19:34 -------- d-----w- C:\Users\kramesh\AppData\Local\{4F0CD053-71ED-46EB-94E1-C9FCDE72C697}
2013-01-14 06:06:18 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-14 06:05:25 108448 ----a-w- C:\Windows\System32\WindowsAccessBridge-64.dll
2013-01-11 08:51:29 -------- d-----w- C:\Program Files (x86)\DAMN NFO Viewer
2013-01-11 01:25:15 -------- d-----w- C:\Users\kramesh\AppData\Local\ArcSoft
2013-01-11 01:25:15 -------- d-----w- C:\ProgramData\ArcSoft
2013-01-10 16:02:01 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2013-01-10 16:01:53 -------- d-----w- C:\ProgramData\regid.1991-06.com.microsoft
2013-01-10 16:01:36 -------- d-----w- C:\Windows\PCHEALTH
2013-01-10 16:01:36 -------- d-----w- C:\Program Files\Microsoft SQL Server
2013-01-10 16:00:07 -------- d-----w- C:\Program Files\Microsoft Analysis Services
2013-01-10 16:00:07 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2013-01-10 14:03:30 -------- d-----w- C:\Program Files (x86)\uTorrent
2013-01-10 14:02:31 -------- d-----w- C:\Users\kramesh\AppData\Roaming\uTorrent
2013-01-09 08:51:59 46592 ----a-w- C:\Windows\SysWow64\fpb.rs
2013-01-06 02:37:35 -------- d-----w- C:\Windows\SysWow64\NV
2013-01-06 02:37:35 -------- d-----w- C:\Windows\System32\NV
2013-01-06 02:31:33 997816 ----a-w- C:\Windows\System32\nv3dappshext.dll
2013-01-06 02:31:33 884152 ----a-w- C:\Windows\System32\nvvsvc.exe
2013-01-06 02:31:33 63928 ----a-w- C:\Windows\System32\nvshext.dll
2013-01-06 02:31:33 6382008 ----a-w- C:\Windows\System32\nvcpl.dll
2013-01-06 02:31:33 55736 ----a-w- C:\Windows\System32\nv3dappshextr.dll
2013-01-06 02:31:33 3455416 ----a-w- C:\Windows\System32\nvsvc64.dll
2013-01-06 02:31:33 2923201 ----a-w- C:\Windows\System32\nvcoproc.bin
2013-01-06 02:31:33 2558392 ----a-w- C:\Windows\System32\nvsvcr.dll
2013-01-06 02:31:33 118712 ----a-w- C:\Windows\System32\nvmctray.dll
2013-01-06 02:31:00 -------- d-----w- C:\ProgramData\NVIDIA Corporation
2013-01-05 03:22:08 50800 ----a-w- C:\Windows\System32\drivers\point64.sys
.
==================== Find3M ====================
.
2013-01-18 15:44:10 791608 ----a-w- C:\Windows\System32\drivers\iusb3xhc.sys
2013-01-18 15:44:10 358456 ----a-w- C:\Windows\System32\drivers\iusb3hub.sys
2013-01-18 15:44:09 20024 ----a-w- C:\Windows\System32\drivers\iusb3hcs.sys
2013-01-18 15:44:08 41984 ----a-w- C:\Windows\System32\drivers\USB3Ver.dll
2013-01-14 06:06:12 859552 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-01-14 06:06:12 780192 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-01-14 06:05:20 960416 ----a-w- C:\Windows\System32\deployJava1.dll
2013-01-14 06:05:20 1081760 ----a-w- C:\Windows\System32\npDeployJava1.dll
2013-01-09 09:29:59 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 09:29:59 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-12-26 01:55:26 69672 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2012-12-26 01:52:44 339776 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2012-12-26 01:52:34 182312 ----a-w- C:\Windows\System32\mfevtps.exe
2012-12-26 01:51:34 10288 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2012-12-26 01:51:24 106112 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2012-12-26 01:50:48 771096 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2012-12-26 01:49:42 515528 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2012-12-26 01:49:00 309400 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2012-12-26 01:48:30 178840 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2012-12-16 17:11:22 46080 ----a-w- C:\Windows\System32\atmlib.dll
2012-12-16 14:45:03 367616 ----a-w- C:\Windows\System32\atmfd.dll
2012-12-16 14:13:28 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2012-12-13 05:50:38 6112864 ----a-w- C:\Windows\System32\usbaaplrc.dll
2012-12-13 05:50:36 54784 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2012-12-07 13:20:16 441856 ----a-w- C:\Windows\System32\Wpc.dll
2012-12-07 13:15:31 2746368 ----a-w- C:\Windows\System32\gameux.dll
2012-12-07 12:26:17 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll
2012-12-07 11:20:04 30720 ----a-w- C:\Windows\System32\usk.rs
2012-12-07 11:20:03 43520 ----a-w- C:\Windows\System32\csrr.rs
2012-12-07 11:20:03 23552 ----a-w- C:\Windows\System32\oflc.rs
2012-12-07 11:20:01 45568 ----a-w- C:\Windows\System32\oflc-nz.rs
2012-12-07 11:20:01 44544 ----a-w- C:\Windows\System32\pegibbfc.rs
2012-12-07 11:20:01 20480 ----a-w- C:\Windows\System32\pegi-fi.rs
2012-12-07 11:20:00 20480 ----a-w- C:\Windows\System32\pegi-pt.rs
2012-12-07 11:19:59 20480 ----a-w- C:\Windows\System32\pegi.rs
2012-12-07 11:19:58 46592 ----a-w- C:\Windows\System32\fpb.rs
2012-12-07 11:19:57 40960 ----a-w- C:\Windows\System32\cob-au.rs
2012-12-07 11:19:57 21504 ----a-w- C:\Windows\System32\grb.rs
2012-12-07 11:19:57 15360 ----a-w- C:\Windows\System32\djctq.rs
2012-12-07 11:19:56 55296 ----a-w- C:\Windows\System32\cero.rs
2012-12-07 11:19:55 51712 ----a-w- C:\Windows\System32\esrb.rs
2012-12-06 04:11:40 11518976 ----a-w- C:\Windows\System32\drivers\Netwsw00.sys
2012-12-05 06:14:00 218624 ----a-w- C:\Windows\System32\bzpdf.dll
2012-12-05 06:14:00 139264 ----a-w- C:\Windows\SysWow64\bzpdfc.dll
2012-11-30 05:45:35 362496 ----a-w- C:\Windows\System32\wow64win.dll
2012-11-30 05:45:35 243200 ----a-w- C:\Windows\System32\wow64.dll
2012-11-30 05:45:35 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2012-11-30 05:45:14 215040 ----a-w- C:\Windows\System32\winsrv.dll
2012-11-30 05:43:12 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2012-11-30 05:41:07 424448 ----a-w- C:\Windows\System32\KernelBase.dll
2012-11-30 04:54:00 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2012-11-30 04:53:59 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2012-11-30 03:23:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2012-11-30 02:44:06 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2012-11-30 02:44:04 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2012-11-30 02:44:04 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2012-11-30 02:44:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
2012-11-30 02:38:59 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2012-11-23 03:26:31 3149824 ----a-w- C:\Windows\System32\win32k.sys
2012-11-23 03:13:57 68608 ----a-w- C:\Windows\System32\taskhost.exe
2012-11-22 05:44:23 800768 ----a-w- C:\Windows\System32\usp10.dll
2012-11-22 04:45:03 626688 ----a-w- C:\Windows\SysWow64\usp10.dll
2012-11-20 05:48:49 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-11-20 04:51:09 220160 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll
2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-11-09 05:45:32 750592 ----a-w- C:\Windows\System32\win32spl.dll
2012-11-09 05:45:09 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-11-09 04:43:04 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll
2012-11-09 04:42:49 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-11-08 03:29:12 1402312 ----a-w- C:\Windows\SysWow64\msxml4.dll
2012-11-06 01:22:10 402944 ----a-w- C:\Windows\System32\mbtleapi.dll
2012-11-06 01:22:06 303104 ----a-w- C:\Windows\SysWow64\mbtleapi.dll
2012-11-06 01:19:20 1345920 ----a-w- C:\Windows\System32\drivers\btmhsf.sys
.
============= FINISH: 0:41:51.45 ===============

Attach Txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 19/6/2012 1:05:43 PM
System Uptime: 1/2/2013 7:33:39 AM (17 hours ago)
.
Motherboard: Dell Inc. | | 01N2TY
Processor: Intel(R) Core(TM) i7-3612QM CPU @ 2.10GHz | CPU Socket - U3E1 | 2101/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 476 GiB total, 399.89 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 440 GiB total, 439.549 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: facap, FastAccess Video Capture
Device ID: ROOT\IMAGE\0000
Manufacturer: Sensible Vision
Name: facap, FastAccess Video Capture
PNP Device ID: ROOT\IMAGE\0000
Service: FACAP
.
==== System Restore Points ===================
.
RP141: 29/1/2013 9:23:55 PM - Removed Intel® PROSet/Wireless WiFi Software
RP142: 29/1/2013 9:25:39 PM - Removed Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed
RP143: 29/1/2013 9:42:51 PM - Installed Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
RP144: 30/1/2013 6:19:28 PM - Installed AVG 2013
RP145: 30/1/2013 6:20:06 PM - Installed AVG 2013
RP146: 31/1/2013 12:41:00 AM - Removed AVG 2013
RP147: 31/1/2013 12:42:42 AM - Removed AVG 2013
RP148: 31/1/2013 12:26:47 PM - Restore Operation
RP149: 31/1/2013 1:13:55 PM - Installed Microsoft Fix it 50884
.
==== Installed Programs ======================
.
??????? Windows Live Mesh ActiveX ??(????)
??????? Windows Live Mesh ActiveX ???
µTorrent
7-Zip 9.22beta
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.01)
Adobe Shockwave Player 11.6
Advanced Audio FX Engine
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bing Bar
Bonjour
Bullzip PDF Printer 9.3.0.1516
Conexant SmartAudio HD
Core Temp 1.0 RC3
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 64-Bit Edition
Dell DataSafe Local Backup
Dell DataSafe Local Backup - Support Software
Dell DataSafe Online
Dell Digital Delivery
Dell Edoc Viewer
Dell Getting Started Guide
Dell MusicStage
Dell PhotoStage
Dell Stage
Dell Stage Remote
Dell Support Center
Dell Touchpad
Dell VideoStage
Dell Webcam Central
eBay
EPSON ME 32 Series Printer Uninstall
EPSON ME 320 Series Printer Uninstall
EPSON Scan
Extended Asian Language font pack for Adobe Reader XI
Face Recognition
GPL Ghostscript
HTC BMP USB Driver
HTC Driver Installer
HTC Sync
Intel(R) Control Center
Intel(R) Management Engine Components
Intel(R) Processor Graphics
Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
Intel(R) Rapid Storage Technology
Intel(R) Turbo Boost Technology Monitor 2.0
Intel(R) USB 3.0 eXtensible Host Controller Driver
Intel(R) WiDi
Intel(R) Wireless Display
Intel® Trusted Connect Service Client
iPhone Configuration Utility
iTunes
Java 7 Update 11
Java 7 Update 11 (64-bit)
Java Auto Updater
Junk Mail filter update
McAfee SecurityCenter
Mesh Runtime
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Access MUI (English) 2013
Microsoft Access Setup Metadata MUI (English) 2013
Microsoft Application Error Reporting
Microsoft DCF MUI (English) 2013
Microsoft Excel MUI (English) 2013
Microsoft Groove MUI (English) 2013
Microsoft InfoPath MUI (English) 2013
Microsoft Lync MUI (English) 2013
Microsoft Mouse and Keyboard Center
Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office 32-bit Components 2013
Microsoft Office Office 32-bit Components 2010
Microsoft Office OSM MUI (English) 2013
Microsoft Office OSM UX MUI (English) 2013
Microsoft Office Professional Plus 2013
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (English) 2013
Microsoft Office Proofing Tools 2013 - English
Microsoft Office Proofing Tools 2013 - Español
Microsoft Office Shared 32-bit MUI (English) 2010
Microsoft Office Shared 32-bit MUI (English) 2013
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (English) 2013
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2013
Microsoft Office Visio 2010
Microsoft Office Visio MUI (English) 2010
Microsoft OneNote MUI (English) 2013
Microsoft Outlook MUI (English) 2013
Microsoft PowerPoint MUI (English) 2013
Microsoft Publisher MUI (English) 2013
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visio 2010 Service Pack 1 (SP1)
Microsoft Visio Premium 2010
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Word MUI (English) 2013
Mozilla Firefox 18.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
MSXML 4.0 SP3 Parser (KB973685)
Nero 7 Essentials
neroxml
NVIDIA Control Panel 310.90
NVIDIA Graphics Driver 310.90
NVIDIA HD Audio Driver 1.3.12.0
NVIDIA Install Application
NVIDIA Optimus 1.11.3
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.1031
NVIDIA Update 1.11.3
NVIDIA Update Components
Outils de vérification linguistique 2013 de Microsoft Office - Français
PowerISO
Qualcomm Atheros Ethernet Controller
Quickset64
QuickTime
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
Realtek USB 2.0 Reader Driver
RealUpgrade 1.1
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553447) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2687501) 64-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 64-Bit Edition
Security Update for Microsoft Visio 2010 (KB2687508) 64-Bit Edition
SES Driver
Shared C Run-time for x64
Skype™ 5.10
swMSM
System Requirements Lab CYRI
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2010 (KB2553181) 64-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 64-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2598242) 64-Bit Edition
Update for Microsoft Office 2010 (KB2687509) 64-Bit Edition
Update for Microsoft Office 2013 (KB2726961) 64-Bit Edition
Update for Microsoft Office 2013 (KB2752100) 64-Bit Edition
Update for Microsoft Office 2013 (KB2752101) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760311) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760621) 64-Bit Edition
Update for Microsoft Office 2013 (KB2760624) 64-Bit Edition
Update for Microsoft OneNote 2010 (KB2687277) 64-Bit Edition
Update for Microsoft PowerPoint 2013 (KB2726947) 64-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2589371) 64-Bit Edition
Update for Microsoft SharePoint Workspace 2013 (KB2760358) 64-Bit Edition
Update for Microsoft Visio Viewer 2013 (KB2751994) 64-Bit Edition
Update for Microsoft Word 2013 (KB2738044) 64-Bit Edition
Update for Microsoft Word 2013 (KB2752073) 64-Bit Edition
VC80CRTRedist - 8.0.50727.6195
Visual Studio 2010 x64 Redistributables
VLC media player 2.0.5
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM (01/19/2011 1.0.0009.0)
Windows Live ???
Windows Live ????
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Language Selector
Windows Live Mail
Windows Live Mesh
Windows Live Mesh ActiveX Control for Remote Connections
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live Remote Client
Windows Live Remote Client Resources
Windows Live Remote Service
Windows Live Remote Service Resources
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinPcap 4.1.2
Wireshark 1.8.5 (64-bit)
WorldClock 3.0
Yahoo! Messenger
Zinio Reader 4
.
==== Event Viewer Messages From Past Week ========
.
31/1/2013 8:48:47 AM, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}. The error: "5" Happened while starting this command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
31/1/2013 3:08:44 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR4.
31/1/2013 2:52:21 PM, Error: Service Control Manager [7034] - The Dell Digital Delivery Service service terminated unexpectedly. It has done this 1 time(s).
31/1/2013 2:49:59 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Office Software Protection Platform service to connect.
31/1/2013 2:49:59 PM, Error: Service Control Manager [7000] - The Office Software Protection Platform service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
31/1/2013 2:26:11 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
31/1/2013 2:22:06 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
31/1/2013 2:13:53 PM, Error: Service Control Manager [7023] - The Base Filtering Engine service terminated with the following error: Access is denied.
31/1/2013 2:13:53 PM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
31/1/2013 2:13:53 PM, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the Windows Firewall service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 2:13:42 PM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
31/1/2013 2:13:42 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
31/1/2013 12:46:41 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
31/1/2013 12:46:37 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
31/1/2013 12:46:35 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
31/1/2013 12:38:00 AM, Error: Service Control Manager [7006] - The ScRegSetValueExW call failed for FailureActions with the following error: Access is denied.
31/1/2013 12:33:03 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
31/1/2013 12:29:27 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
31/1/2013 12:29:27 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
31/1/2013 12:29:26 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
31/1/2013 12:29:26 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
31/1/2013 12:29:24 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
31/1/2013 12:29:17 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
31/1/2013 12:29:01 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgfwfd AVGIDSDriver Avgldx64 Avgtdia DfsC discache mfehidk NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
31/1/2013 12:29:01 AM, Error: Service Control Manager [7001] - The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error: A device attached to the system is not functioning.
31/1/2013 12:19:33 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Bluetooth OBEX Service service to connect.
31/1/2013 12:19:33 AM, Error: Service Control Manager [7000] - The Bluetooth OBEX Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
31/1/2013 12:19:33 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service Bluetooth OBEX Service with arguments "" in order to run the server: {E9E0D51D-F407-4D91-B294-C111F721A3AF}
31/1/2013 1:46:40 PM, Error: Service Control Manager [7001] - The IPsec Policy Agent service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
31/1/2013 1:46:40 PM, Error: Service Control Manager [7001] - The IKE and AuthIP IPsec Keying Modules service depends on the Base Filtering Engine service which failed to start because of the following error: Access is denied.
31/1/2013 1:00:47 PM, Error: Service Control Manager [7003] - The McAfee Personal Firewall Service service depends the following service: MpsSvc. This service might not be installed.
30/1/2013 8:59:32 AM, Error: Service Control Manager [7034] - The RealNetworks Downloader Resolver Service service terminated unexpectedly. It has done this 1 time(s).
30/1/2013 8:59:32 AM, Error: Service Control Manager [7034] - The Intel(R) Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s).
30/1/2013 8:59:32 AM, Error: Service Control Manager [7034] - The CxUtilSvc service terminated unexpectedly. It has done this 1 time(s).
30/1/2013 8:59:32 AM, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
30/1/2013 7:44:48 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
30/1/2013 7:42:47 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
30/1/2013 7:19:42 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR3.
30/1/2013 6:57:01 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
30/1/2013 2:04:14 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service Bluetooth Device Monitor with arguments "" in order to run the server: {DABF28BE-F6B4-4E40-8F40-C4FB26F3116C}
30/1/2013 12:45:18 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache mfehidk NetBIOS NetBT nsiproxy Psched rdbss SCDEmu spldr tdx vwififlt Wanarpv6 WfpLwf
30/1/2013 12:44:36 PM, Error: Service Control Manager [7024] - The Power service terminated with service-specific error The operation completed successfully..
30/1/2013 1:07:56 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}
29/1/2013 9:36:14 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Bluetooth Device Monitor service.
29/1/2013 11:26:46 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.
29/1/2013 11:25:46 AM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
29/1/2013 11:25:33 AM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
28/1/2013 11:14:25 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer ESWAR-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B67CA45B-DF54-4686-BC12-003B9FCE1D8F}. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore
Advertisement
Register to Remove

Re: ZeroAccess.hp removal

Unread postby deltalima » February 2nd, 2013, 2:47 pm

checking your log - back soon.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ZeroAccess.hp removal

Unread postby deltalima » February 2nd, 2013, 2:58 pm

Hi k_ramesh,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please Note:
The programs I ask you to run need to be run in Administrator Mode by... Right clicking the program file and selecting: Run as Administrator.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
When prompted, please select: Allow. Reference: User Account Control (UAC) and Running as Administrator

Remove P2P Programs

  • I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent


  • Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red) and any other P2P you have installed NOW.
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Right click on CKScanner.exe and select: Run as Administrator then click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Right click on MGADiag.exe and select: Run as Administrator.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.


Please let me know if the computer is used for business in any way.

Please let me know how you obtained the license for Microsoft Office Professional Plus 2013.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 3rd, 2013, 10:45 am

Hi Deltalima,

Appreciate your comments. you are right about P2P program - even though it is used with care - as suggested i have remoted it.
Understand the disclaimers about the forum on help on cleaning of malwares. My laptop is used for personal use. Below are the logs that
are requested.

CK Scanner output

CKScanner 2.1 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.ONAACQ
----- EOF -----

MGADiag output from Microsoft.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-QCPVQ-KHRB8-RMV82
Windows Product Key Hash: +Rj3N34NLM2JqoBO/OzgzTZXgbY=
Windows Product ID: 00359-OEM-8992687-00095
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {60CF2C22-819A-458A-AF9B-45AA23BA808C}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.120830-0333
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{60CF2C22-819A-458A-AF9B-45AA23BA808C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-RMV82</PKey><PID>00359-OEM-8992687-00095</PID><PIDType>2</PIDType><SID>S-1-5-21-3460474830-230030113-1554268518</SID><SYSTEM><Manufacturer>Dell Inc. </Manufacturer><Model>Inspiron 5420</Model></SYSTEM><BIOS><Manufacturer>Dell Inc. </Manufacturer><Version>A13</Version><SMBIOSVersion major="2" minor="7"/><Date>20121218000000.000000+000</Date></BIOS><HWID>0F0E3F07018400FE</HWID><UserLCID>4809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Malay Peninsula Standard Time(GMT+08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>DELL </OEMID><OEMTableID>QA09 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, HomePremium edition
Description: Windows Operating System - Windows(R) 7, OEM_SLP channel
Activation ID: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00359-00178-926-800095-02-1033-7601.0000-1662012
Installation ID: 017670314141771253333673408064428724863414056473300025
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: RMV82
License Status: Licensed
Remaining Windows rearm count: 2
Trusted time: 3/2/2013 10:36:04 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 12:24:2012 12:24
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MgAAAAEAAQABAAIAAAABAAAABAABAAEAln0Q0YrsMKDIiLSCuDHY2boLWNWSTWI6lmM=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC DELL QA09
FACP DELL QA09
HPET DELL QA09
MCFG DELL QA09
SLIC DELL QA09
SSDT DELL PtidDevc
ASF! DELL QA09
FPDT DELL QA09
SSDT DELL PtidDevc
SSDT DELL PtidDevc
UEFI DELL QA09
UEFI DELL QA09
POAT DELL QA09
SSDT DELL PtidDevc
UEFI DELL QA09
DBG2 DELL QA09

Let you know that i have installed comodo firewall instead of Mcafee after i have uploaded the program installed files.

Regards.
kr/-
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby deltalima » February 3rd, 2013, 11:10 am

Hi k_ramesh,

Did you have any problems running CKScanner? How many times did you run it?

Please answer the question about the license for Microsoft Office Professional Plus 2013.

Please post the log from Combofix it should be located at c:\Combofix.txt and the log from TDSSKiller (The log will have a name like Name.Version_Date_Time_log.txt. for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt).
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 3rd, 2013, 11:55 am

Hi deltalima,

I run twice CSScanner and the result is same.

Can you let me know specifically what you want to know about Microsoft Office Professional Plus 2013 license?

Combofix log is below.. I did not run any TDSKiller

ComboFix 13-01-30.04 - kramesh 31/01/2013 14:17:11.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.65.1033.18.8052.6227 [GMT 8:00]
Running from: c:\users\kramesh\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
FW: McAfee Firewall *Disabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6032\AddOnDownloaded\18d25bc5-acbb-424f-a6c6-d04a97765094.dll
c:\programdata\PCDr\6032\AddOnDownloaded\2141cd58-3a24-481f-8ca2-8b466c9b797f.dll
c:\programdata\PCDr\6032\AddOnDownloaded\2d2ff7e2-f0f8-4f32-a28e-e44234dd3300.dll
c:\programdata\PCDr\6032\AddOnDownloaded\3e137363-345c-454a-a474-2da300d9297a.dll
c:\programdata\PCDr\6032\AddOnDownloaded\489a0734-0bcc-462a-8a9c-29a40f0007b9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\59abf7b9-a4a7-4d76-9ad6-13c7bb2f4d0b.dll
c:\programdata\PCDr\6032\AddOnDownloaded\5f996ddf-fafd-4f93-b623-a362758305b9.dll
c:\programdata\PCDr\6032\AddOnDownloaded\63acf506-979e-4b72-a7ce-2af6dc2b98c4.dll
c:\programdata\PCDr\6032\AddOnDownloaded\65a823a3-a5fc-440a-b276-153555251042.dll
c:\programdata\PCDr\6032\AddOnDownloaded\b967e9c4-897a-42c8-96d2-4ceb543f8cdb.dll
c:\programdata\PCDr\6032\AddOnDownloaded\e3146f6d-11b3-4a00-a026-1ba8b4bb00ff.dll
c:\programdata\PCDr\6032\AddOnDownloaded\f4d48f15-9f33-4b3f-a84f-bc8b2800e772.dll
c:\programdata\Roaming
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-31 )))))))))))))))))))))))))))))))
.
.
2013-01-31 06:25 . 2013-01-31 06:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-31 00:34 . 2009-07-14 01:39 328704 ----a-w- c:\windows\system32\Services.exe
2013-01-30 18:11 . 2013-01-30 18:11 -------- d-----w- c:\programdata\Kaspersky Lab
2013-01-30 16:42 . 2013-01-30 16:42 -------- d-----w- c:\users\kramesh\AppData\Local\Avg2013
2013-01-30 14:53 . 2013-01-30 14:53 -------- d-----w- c:\users\kramesh\AppData\Roaming\Malwarebytes
2013-01-30 14:53 . 2013-01-30 14:53 -------- d-----w- c:\programdata\Malwarebytes
2013-01-30 10:22 . 2013-01-30 10:22 -------- d-----w- c:\users\kramesh\AppData\Roaming\TuneUp Software
2013-01-30 10:05 . 2013-01-30 16:42 -------- d-----w- c:\programdata\MFAData
2013-01-30 10:05 . 2013-01-30 10:05 -------- d--h--w- c:\programdata\Common Files
2013-01-30 10:05 . 2013-01-30 10:05 -------- d-----w- c:\users\kramesh\AppData\Local\MFAData
2013-01-30 00:59 . 2013-01-30 01:43 16200 ----a-w- c:\windows\stinger.sys
2013-01-30 00:58 . 2013-01-30 09:32 -------- d-----w- c:\program files (x86)\stinger
2013-01-27 17:00 . 2013-01-27 17:00 -------- d-----w- c:\users\kramesh\AppData\Roaming\Prodiance
2013-01-18 16:51 . 2013-01-18 16:51 -------- d-----w- c:\program files\WDCSAM
2013-01-18 15:56 . 2013-01-18 15:56 -------- d-----w- c:\programdata\Western Digital
2013-01-18 15:27 . 2013-01-18 15:27 -------- d-----w- c:\program files\DIFX
2013-01-18 15:26 . 2013-01-18 15:26 -------- d-----w- c:\users\kramesh\AppData\Local\Western Digital
2013-01-14 15:22 . 2012-06-18 05:32 2784416 ----a-w- c:\windows\system32\UCI64A06.DLL
2013-01-14 15:22 . 2012-06-21 07:57 1578656 ----a-w- c:\windows\system32\CX64AP66.dll
2013-01-14 06:06 . 2013-01-14 06:06 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-01-14 06:06 . 2013-01-14 06:06 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-01-14 06:05 . 2013-01-14 06:05 308640 ----a-w- c:\windows\system32\javaws.exe
2013-01-14 06:05 . 2013-01-14 06:05 108448 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2013-01-14 06:05 . 2013-01-14 06:05 188832 ----a-w- c:\windows\system32\javaw.exe
2013-01-14 06:05 . 2013-01-14 06:05 188832 ----a-w- c:\windows\system32\java.exe
2013-01-11 15:13 . 2013-01-25 06:00 -------- d-----w- c:\users\kramesh\AppData\Roaming\vlc
2013-01-11 08:51 . 2013-01-11 08:51 -------- d-----w- c:\program files (x86)\DAMN NFO Viewer
2013-01-11 01:25 . 2013-01-11 01:25 -------- d-----w- c:\users\kramesh\AppData\Local\ArcSoft
2013-01-11 01:25 . 2013-01-11 01:25 -------- d-----w- c:\programdata\ArcSoft
2013-01-10 16:02 . 2013-01-12 04:02 -------- d-----w- c:\program files\Common Files\DESIGNER
2013-01-10 16:02 . 2013-01-10 16:02 -------- d-----w- c:\program files (x86)\Microsoft SQL Server
2013-01-10 16:02 . 2013-01-10 16:02 -------- d-----w- c:\program files\Microsoft.NET
2013-01-10 16:01 . 2013-01-12 03:58 -------- d-----w- c:\programdata\regid.1991-06.com.microsoft
2013-01-10 16:01 . 2013-01-10 16:02 -------- d-----w- c:\program files\Microsoft SQL Server
2013-01-10 16:01 . 2013-01-10 16:01 -------- d-----w- c:\windows\PCHEALTH
2013-01-10 16:00 . 2013-01-10 16:00 -------- d-----w- c:\program files\Microsoft Analysis Services
2013-01-10 16:00 . 2013-01-10 16:00 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-01-10 15:59 . 2013-01-12 04:02 -------- d-----w- c:\program files\Microsoft Office
2013-01-10 15:58 . 2013-01-10 15:58 -------- d-----r- C:\MSOCache
2013-01-10 14:03 . 2013-01-10 14:03 -------- d-----w- c:\program files (x86)\uTorrent
2013-01-10 14:02 . 2013-01-29 15:37 -------- d-----w- c:\users\kramesh\AppData\Roaming\uTorrent
2013-01-09 08:51 . 2012-12-07 11:20 43520 ----a-w- c:\windows\system32\csrr.rs
2013-01-06 02:37 . 2013-01-06 02:37 -------- d-----w- c:\windows\SysWow64\NV
2013-01-06 02:37 . 2013-01-06 02:37 -------- d-----w- c:\windows\system32\NV
2013-01-06 02:31 . 2013-01-31 04:48 -------- d-----w- c:\users\UpdatusUser
2013-01-06 02:31 . 2012-12-29 08:40 6382008 ----a-w- c:\windows\system32\nvcpl.dll
2013-01-06 02:31 . 2012-12-29 08:40 3455416 ----a-w- c:\windows\system32\nvsvc64.dll
2013-01-06 02:31 . 2012-12-29 08:40 2923201 ----a-w- c:\windows\system32\nvcoproc.bin
2013-01-06 02:31 . 2012-12-29 08:40 997816 ----a-w- c:\windows\system32\nv3dappshext.dll
2013-01-06 02:31 . 2012-12-29 08:40 884152 ----a-w- c:\windows\system32\nvvsvc.exe
2013-01-06 02:31 . 2012-12-29 08:40 63928 ----a-w- c:\windows\system32\nvshext.dll
2013-01-06 02:31 . 2012-12-29 08:40 55736 ----a-w- c:\windows\system32\nv3dappshextr.dll
2013-01-06 02:31 . 2012-12-29 08:40 2558392 ----a-w- c:\windows\system32\nvsvcr.dll
2013-01-06 02:31 . 2012-12-29 08:40 118712 ----a-w- c:\windows\system32\nvmctray.dll
2013-01-06 02:31 . 2013-01-06 02:31 -------- d-----w- c:\programdata\NVIDIA Corporation
2013-01-05 03:22 . 2013-01-05 03:22 50800 ----a-w- c:\windows\system32\drivers\point64.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-18 15:44 . 2012-12-03 21:21 791608 ----a-w- c:\windows\system32\drivers\iusb3xhc.sys
2013-01-18 15:44 . 2012-12-03 21:21 358456 ----a-w- c:\windows\system32\drivers\iusb3hub.sys
2013-01-18 15:44 . 2012-12-03 21:21 20024 ----a-w- c:\windows\system32\drivers\iusb3hcs.sys
2013-01-18 15:44 . 2012-06-14 09:48 41984 ----a-w- c:\windows\system32\drivers\USB3Ver.dll
2013-01-14 06:06 . 2012-06-20 09:51 859552 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-01-14 06:06 . 2012-06-20 09:51 780192 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-01-14 06:05 . 2012-06-19 07:07 960416 ----a-w- c:\windows\system32\deployJava1.dll
2013-01-14 06:05 . 2012-06-19 07:07 1081760 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-01-09 09:29 . 2012-06-14 09:30 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-09 09:29 . 2012-06-14 09:30 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-01-09 08:57 . 2012-06-19 12:52 67599240 ----a-w- c:\windows\system32\MRT.exe
2012-12-26 01:55 . 2011-03-13 16:20 69672 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-12-26 01:52 . 2011-03-13 16:20 339776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2012-12-26 01:52 . 2012-06-14 10:17 182312 ----a-w- c:\windows\system32\mfevtps.exe
2012-12-26 01:51 . 2012-06-14 10:18 10288 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-12-26 01:51 . 2011-03-13 16:20 106112 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-12-26 01:50 . 2011-03-13 16:20 771096 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-12-26 01:49 . 2011-03-13 16:20 515528 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-12-26 01:49 . 2011-03-13 16:20 309400 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-12-26 01:48 . 2011-03-13 16:20 178840 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-12-16 17:11 . 2012-12-21 08:25 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-21 08:25 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-21 08:25 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-21 08:25 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-12-13 05:50 . 2012-12-13 05:50 6112864 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-12-13 05:50 . 2012-12-13 05:50 54784 ----a-w- c:\windows\system32\drivers\usbaapl64.sys
2012-12-06 04:11 . 2012-12-06 04:11 11518976 ----a-w- c:\windows\system32\drivers\Netwsw00.sys
2012-12-05 06:14 . 2012-12-16 00:50 139264 ----a-w- c:\windows\SysWow64\bzpdfc.dll
2012-12-05 06:14 . 2012-12-16 00:50 218624 ----a-w- c:\windows\system32\bzpdf.dll
2012-11-30 04:45 . 2013-01-09 08:52 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-14 07:06 . 2012-12-13 02:30 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-13 02:30 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-13 02:30 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-13 02:30 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-13 02:30 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-13 02:30 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-13 02:30 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-13 02:30 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-13 02:30 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-13 02:30 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-13 02:30 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-13 02:30 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-13 02:30 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-13 02:30 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-13 02:30 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-13 02:30 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-13 02:30 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-13 02:30 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 02:30 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-13 02:30 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 02:30 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-13 02:30 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-09 05:45 . 2012-12-13 01:31 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-13 01:31 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-11-08 03:29 . 2012-11-08 03:29 1402312 ----a-w- c:\windows\SysWow64\msxml4.dll
2012-11-06 01:22 . 2012-11-06 01:22 402944 ----a-w- c:\windows\system32\mbtleapi.dll
2012-11-06 01:22 . 2012-11-06 01:22 303104 ----a-w- c:\windows\SysWow64\mbtleapi.dll
2012-11-06 01:19 . 2012-11-06 01:19 1345920 ----a-w- c:\windows\system32\drivers\btmhsf.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2012-12-08 21:43 1720928 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2012-12-08 21:43 1720928 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2012-12-08 21:43 1720928 ----a-w- c:\progra~2\MICROS~1\Office15\GROOVEEX.DLL
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2013-01-18 291648]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-01-14 1534504]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2012-02-01 968048]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-17 651264]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2012-05-09 577536]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-24 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-12-13 295072]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"FATrayAlert"="c:\program files (x86)\Sensible Vision\Fast Access\FATrayMon.exe" [2012-02-14 96240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\users\kramesh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
_uninst_37614240.lnk - c:\users\kramesh\AppData\Local\Temp\_uninst_37614240.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
2012-02-14 08:26 153584 ----a-w- c:\program files (x86)\Sensible Vision\Fast Access\FALogNot.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli FAPassSync
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [2012-04-10 166912]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-07-13 160944]
R3 ALSysIO;ALSysIO;c:\users\kramesh\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2012-01-09 195584]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-06-07 191752]
R3 btmaudio;Intel Bluetooth Audio Service;c:\windows\system32\drivers\btmaud.sys [x]
R3 FACAP;facap, FastAccess Video Capture;c:\windows\system32\DRIVERS\facap.sys [2008-09-25 238848]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys [2011-12-20 34200]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2011-03-08 224704]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-12-26 106112]
R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;c:\windows\system32\drivers\nvstusb.sys [2012-01-31 300864]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2012-10-01 178824]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 19456]
R3 TDKLIB;TDKLIB;c:\users\kramesh\AppData\Local\Temp\TdkLib64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 57856]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 30208]
R3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe [2010-11-29 149504]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-12-13 54784]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-19 1255736]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2008-05-06 14464]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-08-31 201304]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2013-01-18 20024]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-12-26 339776]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys [2012-12-29 30648]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-05-12 249648]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2012-11-06 1120192]
S2 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2012-11-06 1361856]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2012-11-06 1140672]
S2 CxUtilSvc;CxUtilSvc;c:\program files\Conexant\SA3\CxUtilSvc.exe [2011-10-11 109184]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2009-09-13 166400]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2009-09-13 128512]
S2 FAService;FAService;c:\program files (x86)\Sensible Vision\Fast Access\FAService.exe [2012-02-14 2451440]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-02-01 13592]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2012-01-11 627936]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2012-08-31 201304]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-12-26 218320]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-12-26 182312]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35344]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2012-11-29 38608]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2012-02-16 1695040]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2010-11-29 16120]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-01-20 363800]
S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2012-10-30 131968]
S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2012-11-06 1345920]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-12-26 69672]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2011-06-16 176000]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2012-06-24 52320]
S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2012-08-06 68136]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-06 331264]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys [2013-01-18 358456]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys [2013-01-18 791608]
S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys [2011-12-20 25496]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2012-04-25 104560]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-12-26 515528]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2013-01-05 50800]
S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys [2011-07-28 313448]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-14 09:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2012-12-08 21:40 2323040 ----a-w- c:\progra~1\MICROS~3\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2012-12-08 21:40 2323040 ----a-w- c:\progra~1\MICROS~3\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2012-12-08 21:40 2323040 ----a-w- c:\progra~1\MICROS~3\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2012-04-09 626552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-04-05 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-04-05 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-04-05 439064]
"IntelTBRunOnce"="wscript.exe" [2009-07-14 168960]
"Stage Remote"="c:\program files (x86)\Dell\Stage Remote\StageRemote.exe" [2011-08-08 2034752]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2012-02-01 2195824]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-26 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-26 2004584]
"SmartAudio"="c:\program files\CONEXANT\SA3\SACpl.exe" [2012-06-13 1647616]
"BLEServicesCtrl"="c:\program files (x86)\Intel\Bluetooth\BleServicesCtrl.exe" [2012-09-16 184112]
"BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshellex.dll" [2012-11-16 11585408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www1.ap.dell.com/content/default ... l=en&s=gen
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office15\ONBttnIE.dll/105
IE: Send to Bluetooth - c:\program files (x86)\Intel\Bluetooth\btSendToObject.htm
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\kramesh\AppData\Roaming\Mozilla\Firefox\Profiles\74yb0jmc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mkg030&p=
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-01-10 13:08; admin@indiarailinfo.com; c:\users\kramesh\AppData\Roaming\Mozilla\Firefox\Profiles\74yb0jmc.default\extensions\admin@indiarailinfo.com.xpi
FF - ExtSQL: 2013-01-30 07:51; {D19CA586-DD6C-4a0a-96F8-14644F340D60}; c:\program files (x86)\Common Files\McAfee\SystemCore
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-WorldClock - (no file)
Wow6432Node-HKLM-Run-Adobe Reader Speed Launcher - c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe
Wow6432Node-HKLM-Run-FAStartup - (no file)
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-01-31 14:40:46 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-31 06:40
.
Pre-Run: 422,357,839,872 bytes free
Post-Run: 427,428,540,416 bytes free
.
- - End Of File - - D9C28F80BE7FA855A5BD269F5275FC0A
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby deltalima » February 3rd, 2013, 11:59 am

Hi k_ramesh,

Can you let me know specifically what you want to know about Microsoft Office Professional Plus 2013 license?


How did you obtain the license?

The software is only available to corporate users via a Volume License Key.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 3rd, 2013, 12:11 pm

You are right. It is a corporate license which covers personal PCs supplied through Office.. :)
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby deltalima » February 3rd, 2013, 12:26 pm

Hi k_ramesh,

The Combofix log does confirm that you were infected with Zero Access rootkit.

As the logs have confirmed a rootkit infection I need to give you the following warning.

Rootkit Warning

One or more of the identified infections you had was related to a rootkit component.
Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker.
Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install.
Remote attackers use rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, Paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.
Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and appears to have been removed, your PC may be compromised and there is no way to be sure the computer can ever be trusted again.
It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure.
Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice we cannot guarantee your computer to be trustworthy or that the malware removal has been completely successful.

If you choose not to reformat then please run the following scan

Please download GMER Rootkit Scanner from here.
  • Right click the .exe file and select: Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 3rd, 2013, 11:48 pm

Hi deltalima,

After going through above links it is bit solace that computers behind NAT is somewhat protected compared with
computers which are directly connected with internet. After Mcafee deteced the Trojan, i had disconnected internet
connection immediately and used it to search the internet for solution and downloading the software to clean.
Kaspersky standalone virus was able to clean major portion of the virus. For firewall issue as suggested through
Microsoft security website used Combofix to clean it. The above are to give you a background how the cleaning
of laptop was done.

GMER scan log is as below - Part 1
GMER 2.0.18454 - http://www.gmer.net
Rootkit scan 2013-02-04 01:39:53
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD10 rev.01.0 931.51GB
Running: um59ijft.exe; Driver: C:\Users\kramesh\AppData\Local\Temp\uwtiafoc.sys


---- User code sections - GMER 2.0 ----

.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\services.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\system32\services.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\system32\services.exe[584] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\lsass.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\svchost.exe[1132] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[1276] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\System32\svchost.exe[1320] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffc7a1a0 6 bytes {JMP QWORD [RIP+0xe5e90]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 4th, 2013, 12:04 am

GMER scanlog Part 2
.text C:\Windows\System32\svchost.exe[1352] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe[1412] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff226bd0 6 bytes {JMP QWORD [RIP+0x109460]}
.text C:\Windows\system32\svchost.exe[1480] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffc7a1a0 6 bytes {JMP QWORD [RIP+0xe5e90]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[1588] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1892] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\nvvsvc.exe[1900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\svchost.exe[1740] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff226bd0 6 bytes {JMP QWORD [RIP+0x109460]}
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [58, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [43, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [49, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [40, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [4C, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [64, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [61, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [46, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [34, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [67, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [55, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [3D, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [37, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [52, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [3A, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [4F, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [5E, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [5B, 71]
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x7188001e]}
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7185001e]}
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x717f001e]}
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 4th, 2013, 12:07 am

Hi deltalima,

It looks like the scan log may require three more posts. I do not find any alarm in the scan. Let me know whether you want me to post
all the logs directly or PM to you separately.
Thanks.
kr/-
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby deltalima » February 4th, 2013, 3:47 am

k_ramesh wrote:It looks like the scan log may require three more posts. I do not find any alarm in the scan. Let me know whether you want me to post
all the logs directly or PM to you separately.


Did you make sure "Show All" was NOT ticked?

If not then please run the scan again with it NOT ticked.

If the logs are still long then please split them into seperate posts and post them all in this thread.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 4th, 2013, 5:15 am

Hi deltalima,

I did not select show all at all in fact the show all is greyed out and i cannot even select.
Let me workout a way to split the files into <100000 words to post it
Thanks
kr/-
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore

Re: ZeroAccess.hp removal

Unread postby k_ramesh » February 4th, 2013, 7:41 am

GMER scan Part 3
.text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2508] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000075bf2538 6 bytes {JMP QWORD [RIP+0x7182001e]}
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[2556] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files\Conexant\SA3\CxUtilSvc.exe[2664] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\taskhost.exe[2476] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[2704] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Windows\system32\Dwm.exe[2960] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\system32\Dwm.exe[2960] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\system32\Dwm.exe[2960] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7422cc 6 bytes {JMP QWORD [RIP+0x64dd64]}
.text C:\Windows\system32\Dwm.exe[2960] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff748398 6 bytes {JMP QWORD [RIP+0x4a7c98]}
.text C:\Windows\system32\Dwm.exe[2960] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7489c8 6 bytes {JMP QWORD [RIP+0x487668]}
.text C:\Windows\system32\Dwm.exe[2960] C:\Windows\system32\GDI32.dll!GetPixel 000007feff749344 6 bytes {JMP QWORD [RIP+0x626cec]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1848] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077a43ae0 6 bytes {JMP QWORD [RIP+0x85fc550]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000077a71400 6 bytes {JMP QWORD [RIP+0x85aec30]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a715d0 6 bytes {JMP QWORD [RIP+0x874ea60]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a71640 6 bytes {JMP QWORD [RIP+0x882e9f0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a71680 6 bytes {JMP QWORD [RIP+0x87ee9b0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 0000000077a71720 6 bytes {JMP QWORD [RIP+0x884e910]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a717b0 6 bytes {JMP QWORD [RIP+0x87ce880]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a717f0 6 bytes {JMP QWORD [RIP+0x86ce840]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a71840 6 bytes {JMP QWORD [RIP+0x86ee7f0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a71860 6 bytes {JMP QWORD [RIP+0x880e7d0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 0000000077a71a50 6 bytes {JMP QWORD [RIP+0x88ce5e0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a71b60 6 bytes {JMP QWORD [RIP+0x86ae4d0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 0000000077a71c30 6 bytes {JMP QWORD [RIP+0x876e400]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a71d80 6 bytes {JMP QWORD [RIP+0x886e2b0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a71d90 6 bytes {JMP QWORD [RIP+0x88ae2a0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a72100 6 bytes {JMP QWORD [RIP+0x878df30]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 0000000077a72190 6 bytes {JMP QWORD [RIP+0x888dea0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a72a00 6 bytes {JMP QWORD [RIP+0x87ad630]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077a72a80 6 bytes {JMP QWORD [RIP+0x870d5b0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a72b00 6 bytes {JMP QWORD [RIP+0x872d530]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefe149aa5 3 bytes [65, 65, 06]
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefe155290 5 bytes [FF, 25, A0, AD, 0A]
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff7422cc 6 bytes {JMP QWORD [RIP+0x64dd64]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff748398 6 bytes {JMP QWORD [RIP+0x4a7c98]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff7489c8 6 bytes {JMP QWORD [RIP+0x487668]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\GDI32.dll!GetPixel 000007feff749344 6 bytes {JMP QWORD [RIP+0x626cec]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\USER32.dll!SetWindowsHookExW 000000007767f874 6 bytes {JMP QWORD [RIP+0x8a607bc]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077684d4d 5 bytes {JMP QWORD [RIP+0x8a7b2e4]}
.text C:\Windows\Explorer.EXE[1872] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077698c20 6 bytes {JMP QWORD [RIP+0x8a27410]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 000000007580f776 6 bytes {JMP QWORD [RIP+0x719e001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075812c91 4 bytes {CALL QWORD [RIP+0x71ac000a]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007586ee09 6 bytes {JMP QWORD [RIP+0x717d001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075877603 6 bytes {JMP QWORD [RIP+0x7180001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007587835c 6 bytes {JMP QWORD [RIP+0x7183001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [6B, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [56, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [5C, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [53, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [5F, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [77, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [74, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [59, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [47, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [7A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [68, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [50, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [4A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [65, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [4D, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [62, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [71, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [6E, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 000000007720103d 6 bytes {JMP QWORD [RIP+0x719b001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000077201072 6 bytes {JMP QWORD [RIP+0x7198001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3280] C:\Windows\syswow64\KERNEL32.dll!CreateProcessAsUserW 000000007722c9b5 6 bytes {JMP QWORD [RIP+0x7192001e]}
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077c1f9c0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077c1f9c4 2 bytes [AE, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077c1fc90 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077c1fc94 2 bytes [65, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077c1fd44 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077c1fd48 2 bytes [50, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077c1fda8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077c1fdac 2 bytes [56, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077c1fea0 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077c1fea4 2 bytes [4D, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077c1ff84 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077c1ff88 2 bytes [59, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077c1ffe4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077c1ffe8 2 bytes [71, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077c20064 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077c20068 2 bytes [6E, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077c20094 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077c20098 2 bytes [53, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077c20398 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077c2039c 2 bytes [41, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c20530 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077c20534 2 bytes [74, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077c20674 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077c20678 2 bytes [62, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077c2086c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077c20870 2 bytes [4A, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077c20884 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077c20888 2 bytes [44, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077c20dd4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077c20dd8 2 bytes [5F, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077c20eb8 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077c20ebc 2 bytes [47, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077c21bc4 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077c21bc8 2 bytes [5C, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077c21c94 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077c21c98 2 bytes [6B, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077c21d6c 3 bytes [FF, 25, 1E]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077c21d70 2 bytes [68, 71]
.text C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE[3336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077c41217 6 bytes {JMP QWORD [RIP+0x71a7001e]}
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[3448] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007755a420 6 bytes {JMP QWORD [RIP+0x8b45c10]}
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[3448] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077571b50 6 bytes {JMP QWORD [RIP+0x8aee4e0]}
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[3448] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000775e8810 6 bytes {JMP QWORD [RIP+0x8a97820]}
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[3448] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feffc7a1a0 6 bytes {JMP QWORD [RIP+0xe5e90]}
k_ramesh
Regular Member
 
Posts: 16
Joined: February 1st, 2013, 1:02 pm
Location: Singapore
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 396 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware