Possible ZeroAccess infection...

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
« First
←
2
3
4

You cannot start a new topic
This topic is locked

Possible ZeroAccess infection...

#46 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 17 February 2012 - 12:56 PM

OK, I'll post my issue on their site but before I do I must ask if I should be worried about this:

GMER Log:
---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR2 sector 00: rootkit-like behavior

Or should I note this as a false positive?

#47 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 17 February 2012 - 10:26 PM

Run Gmer again and see if it still shows up

gringo

I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#48 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 18 February 2012 - 01:42 AM

Did you want just this..

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-02-18 01:38:07
Windows 5.1.2600 Service Pack 3
Running: 5kg6xfqd.exe; Driver: F:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypog.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR2 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xB14A57F0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xB14A5A46]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

.. or a full scan?

#49 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 18 February 2012 - 01:48 AM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun ASWMbr for me and send me the report

Double click the aswMBR.exe icon to run it
Click the Scan button to start the scan
On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo

<-- Don't worry every little bit helps.

#50 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 18 February 2012 - 02:59 AM

fixTDSS:
Backdoor.Tidserv has not been found on your computer

aswMBR:
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-18 02:03:40
-----------------------------
02:03:40.646 OS Version: Windows 5.1.2600 Service Pack 3
02:03:40.656 Number of processors: 1 586 0x209
02:03:40.656 ComputerName: MAIN UserName:
02:03:41.487 Initialize success
02:09:28.095 AVAST engine defs: 12021701
02:09:35.035 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
02:09:35.035 Disk 0 Vendor: WDC_WD800BEVE-00UYT0 01.04A01 Size: 76319MB BusType: 3
02:09:35.035 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS f7820f26
02:09:35.055 Disk 1 MBR read successfully
02:09:35.055 Disk 1 MBR scan
02:09:35.095 Disk 1 Windows XP default MBR code
02:09:35.095 Disk 1 MBR hidden
02:09:35.105 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
02:09:35.246 Disk 1 scanning F:\WINDOWS\system32\drivers
02:09:53.181 Service scanning
02:09:54.784 Modules scanning
02:10:02.825 Disk 1 trace - called modules:
02:10:02.825 ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
02:10:03.166 1 nt!IofCallDriver -> \Device\Harddisk1\DR2[0x89d1fab8]
02:10:03.566 AVAST engine scan F:\WINDOWS
02:10:28.933 AVAST engine scan F:\WINDOWS\system32
02:16:48.448 AVAST engine scan F:\WINDOWS\system32\drivers
02:17:16.329 AVAST engine scan F:\Documents and Settings\Owner
02:42:46.479 AVAST engine scan F:\Documents and Settings\All Users
02:44:38.410 Scan finished successfully
02:44:53.391 Disk 1 MBR has been saved successfully to "F:\Documents and Settings\Owner\Desktop\MBR.dat"
02:44:53.391 The log file has been saved successfully to "F:\Documents and Settings\Owner\Desktop\aswMBR.txt"

#51 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 21 February 2012 - 02:07 AM

For x86 (x32) bit systems please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes.

Note: The tool currently on Italian and English language operating systems gives a full log.

<-- Don't worry every little bit helps.

#52 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 21 February 2012 - 12:19 PM

Listparts Log:
ListParts by Farbar
Ran by Owner on 21-02-2012 at 12:17:31
Windows XP (X86)
Running From: F:\Documents and Settings\Owner\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 46%
Total physical RAM: 1270.42 MB
Available physical RAM: 675.83 MB
Total Pagefile: 1881.78 MB
Available Pagefile: 1430.78 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.27 MB

======================= Partitions =========================

4 Drive f: () (Fixed) (Total:74.52 GB) (Free:40.02 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 75 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 75 GB 32 KB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F NTFS Partition 75 GB Healthy System (partition with boot components)

****** End Of Log ******

#53 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 25 February 2012 - 01:10 AM

Hello

I want you to run this tool and then run GMer again for me

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed

<-- Don't worry every little bit helps.

#54 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 26 February 2012 - 08:27 PM

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 12:46 on 26/02/2012 (Owner)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-26 18:07:09
Windows 5.1.2600 Service Pack 3
Running: 5kg6xfqd.exe; Driver: F:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB14C17DE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB14C0D8A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB14C1444]
SSDT F7AAB026 ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB14C3BE6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB14C3F64]
SSDT F7AAB01C ZwCreateThread
SSDT F7AAB02B ZwDeleteKey
SSDT F7AAB035 ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB14C057C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateKey [0xB14C27F0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwEnumerateValueKey [0xB14C2A46]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB14C3618]
SSDT F7AAB03A ZwLoadKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB14C1052]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB14C1620]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenKey [0xB14C2012]
SSDT F7AAB008 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB14C12EC]
SSDT F7AAB00D ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryKey [0xB14C2C54]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryMultipleValueKey [0xB14C30A8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwQueryValueKey [0xB14C2E66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB14C2588]
SSDT F7AAB044 ZwReplaceKey
SSDT F7AAB03F ZwRestoreKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xB14C1E30]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB14C3904]
SSDT F7AAB030 ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB14C0FBC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB14C11D8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xB14C0B8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB14C097A]

---- User code sections - GMER 1.0.15 ----

.text F:\WINDOWS\Explorer.EXE[188] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\Explorer.EXE[188] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\Explorer.EXE[188] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPLpr.exe[264] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[344] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[344] rpcss.dll!WhichService 76A84234 8 Bytes JMP ED501001
.text F:\WINDOWS\system32\igfxpers.exe[364] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\igfxpers.exe[364] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\igfxpers.exe[364] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 0086D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [F6, 83]
.text F:\WINDOWS\system32\hkcmd.exe[448] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 0087BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 0087B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00877DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0086D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00874F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00875AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00878BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 00878990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00879CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00879BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 00873A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\hkcmd.exe[448] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 00874390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avgnt.exe[504] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\COMODO\COMODO Internet Security\cfp.exe[516] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 007752B0 F:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Common Files\Java\Java Update\jusched.exe[560] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avguard.exe[628] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\spoolsv.exe[740] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\spoolsv.exe[740] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\sched.exe[808] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Java\jre6\bin\jqs.exe[832] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[872] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00530250 F:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO)
.text F:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[872] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00549CD0 F:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\ctfmon.exe[988] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1056] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1268] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Launchy\Launchy.exe[1320] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Launchy\Launchy.exe[1320] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\csrss.exe[1352] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001450 F:\WINDOWS\system32\cmdcsr.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\csrss.exe[1352] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 100017F0 F:\WINDOWS\system32\cmdcsr.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wscntfy.exe[1544] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[1632] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[1632] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\services.exe[1672] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\services.exe[1672] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\lsass.exe[1684] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\lsass.exe[1684] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1780] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2020] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\svchost.exe[2036] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F060 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\svchost.exe[2036] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Program Files\Avira\AntiVir Desktop\avshadow.exe[2308] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\Documents and Settings\Owner\Desktop\5kg6xfqd.exe[2476] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\system32\wbem\wmiprvse.exe[3332] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95}
.text F:\WINDOWS\System32\alg.exe[4052] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10027DF0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 1001D1A0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10024F30 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025AC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028990 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029CC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029BC0 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 5 Bytes JMP 10023A60 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text F:\WINDOWS\System32\alg.exe[4052] ADVAPI32.dll!CreateProcessAsUserA 77E10CE8 5 Bytes JMP 10024390 F:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk1\DR2 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#55 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 March 2012 - 01:19 AM

Hello kerneldrop

I have been researching your topic and it seems that that may be a left over from an older infection.

I don't know if you would want to leave it like that ( I am not for sure if I would leave it like that ) - I have seen it removed but it is very complicated and risky, I think the best thing that can be done to be the safest is to remove anything that you want to keep and format the computer and reload windows

Gringo

<-- Don't worry every little bit helps.

#56 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 02 March 2012 - 12:45 PM

I have to drop my kernel. Oh the irony!

#57 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 March 2012 - 02:55 PM

Hello

been doing some more checking lets do something

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

Insert your USB drive
Press Start > My Computer > right click your USB drive > choose Format > Quick format
Double click the unetbootin-xpud-windows-387.exe that you just downloaded
Press Run then OK
Select the DiskImage option then click the browse button located on the right side of the textbox field.
Browse to and select the xpud-0.9.2.iso file you downloaded
Verify the correct drive letter is selected for your USB device then click OK
It will install a little bootable OS on your USB device
Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
After it has completed do not choose to reboot the clean computer simply close the installer
Next download http://noahdfear.net/downloads/driver.sh to your USB
Remove the USB and insert it in the sick computer
Boot the Sick computer
Press F12 and choose to boot from the USB
Follow the prompts
A Welcome to xPUD screen will appear
Press File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
Confirm that you see driver.sh that you downloaded there
Press Tool at the top
Choose Open Terminal
Type bash driver.sh
Press Enter
After it has finished a report will be located on your USB drive named report.txt
Remove the USB drive and insert back in your working computer and navigate to report.txt

Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

<-- Don't worry every little bit helps.

#58 kerneldrop

Member

Group: Members
Posts: 35
Joined: 28-January 12

Posted 02 March 2012 - 04:02 PM

The Intel Boot Loader reported that no OS was found and exited. But, I'm just going to cut my losses since I've already spent too much time on this and reformat the drive.

Thanks for your time.

#59 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 02 March 2012 - 05:27 PM

thanks for letting me know

Gringo

<-- Don't worry every little bit helps.

#60 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,539
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 05 March 2012 - 01:39 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.