Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected unknown malware - possibly remote monitoring - DDS log


  • This topic is locked This topic is locked
11 replies to this topic

#1 net_it

net_it

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 03 January 2009 - 12:31 AM

Hi, this problem is with a PC at a local non-profit community agency where I've volunteered to help maintain their public-access computer lab.

I have replaced the previous anti-virus app, Avast, with AVG, and also installed and updated Spybot Search and Destroy.

There has been some unusual slowness and strange drive-accesses occurring as I observed the machine, and I wondered if someone had previously infected the PC with something, perhaps a remote monitor or "keylogger".

I'm out of my depth on these topics, and would greatly appreciate advice on any possible measures I should take.

Here is the DDS.txt file resulting from downloading and running the DDS script, as the preparation procedure for this forum requests. I also have the Attach.txt file if needed, and have attached a log from a run of HijackThis, in case it helps.

Many thanks, in advance!

DDS.txt:

DDS (Version 1.1.0) - NTFSx86
Run by FYFB3 at 16:14:28.86 on Fri 01/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.384.64 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\FYFB3\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
c:\docume~1\fyfb3\locals~1\temp\rarsfx0\temp00
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fyfb3\applic~1\mozilla\firefox\profiles\1995n7cj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-2 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-2 26824]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-1-2 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-1-2 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-2 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-2 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-2 76040]
R2 cmdAgent;COMODO Internet Security Helper Service;"c:\program files\comodo\comodo internet security\cmdagent.exe" [2009-1-2 618232]

=============== Created Last 30 ================

2009-01-02 16:03 <DIR> --d----- c:\program files\Trend Micro
2009-01-02 15:59 <DIR> --d----- c:\docume~1\fyfb3\applic~1\AVGTOOLBAR
2009-01-02 15:42 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 15:09 147,192 a------- c:\windows\system32\guard32.dll
2009-01-02 15:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2009-01-02 15:09 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2009-01-02 15:09 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-01-02 15:08 <DIR> --d----- c:\program files\COMODO
2009-01-02 14:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-02 14:06 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-02 14:06 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-02 14:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-02 14:05 <DIR> --d----- c:\program files\AVG
2009-01-02 14:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-15 13:03 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 16:17:42.18 ===============


HJT log 1:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:44 PM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nipost.org/node/47
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4491 bytes

[08 Jan 3 Edits - few minor typos and incorrect wording, added "End of file" line that I missed when copy-pasting HJT log first time around].

Attached Files


Edited by net_it, 03 January 2009 - 02:11 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:02 AM

Posted 14 January 2009 - 11:05 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:02 AM

Posted 18 January 2009 - 10:37 AM

Due to the lack of feedback this Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:02:02 AM

Posted 24 January 2009 - 10:51 PM

Topic reopened per members request.

TMacK
Moderator

Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:02 AM

Posted 24 January 2009 - 11:02 PM

Hello, net_it
In addition to the DDS logs asked by Koan above:

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • GMER's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 net_it

net_it
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 28 January 2009 - 06:46 PM

Thanks BillyIII. Because the hours are limited at the site where I'm working in the suspect PC, (it's an under-resourced community services agency and I'm just trying to help as best I can as a tech volunteer) I may not be able to do the steps you request until Saturday next (3-4 days from now) - that's the next time when I expect to have access.

In the meantime, I'm trying to arrange after-hours access so I can work through this problem in a more timely fashion. I will follow the procedures you ask, and post the results ASAP.

Again, many thanks. You folks are most helpful! Much appreciated!

cheers!

#7 net_it

net_it
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 03 February 2009 - 03:04 PM

Hi BillyIII and the forum moderators - just wanted to update you, to let you know I'm still pursuing this matter.

I hope to have better access to the suspect PC soon, and will run the diagnostics as you've requested and report back ASAP.

Many thanks!

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:02 AM

Posted 03 February 2009 - 08:35 PM

No problem :thumbsup: So long as you're here, I'll be as well :)

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 net_it

net_it
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 04 February 2009 - 11:52 PM

Hi, I have completed the scans you requested, and here are the results, below. I also have the Attach.txt which I can post as a zipped attachmnet, if desired.

This post contains:
1. DDS.txt as requested by Koan

2. GMER's log as requetd by Billy3

Many thanks! I look forward to, and appreciate, any advice you can offer.

1. DDS.txt:


DDS (Ver_09-01-07.01) - NTFSx86
Run by FYFBadmin at 23:01:39.25 on Wed 02/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.384.206 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\FYFB3\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nipost.org/node/47
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fyfb3\applic~1\mozilla\firefox\profiles\1995n7cj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-24 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-24 26824]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-1-2 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-1-2 31504]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-24 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-24 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-24 76040]
R4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2009-1-2 618232]

=============== Created Last 30 ================

2009-01-31 12:42 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-31 12:36 266,360 a------- c:\windows\system32\TweakUI.exe
2009-01-31 12:35 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-01-24 14:04 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-24 14:04 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-24 14:04 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-24 14:04 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-24 14:04 <DIR> --d----- c:\docume~1\fyfb3\applic~1\AVGTOOLBAR
2009-01-24 13:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-22 12:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Zylom
2009-01-22 11:54 <DIR> --d----- C:\MSN Games

==================== Find3M ====================

2009-01-02 15:41 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-02 15:08 147,192 a------- c:\windows\system32\guard32.dll
2009-01-02 15:08 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-01-02 15:08 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-15 13:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080929\index.dat
2008-10-15 13:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101520081016\index.dat

============= FINISH: 23:03:21.80 ===============




2. GMER's log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-04 23:48:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF671A906]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xF6719E66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF671A4C2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF671B0D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF6719BC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF671BDC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF671AAEC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xF6719796]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF671AD3A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF671AEEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF67194F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF671BA42]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF671A0AC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF671A6FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF6719228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF671A33C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF67193A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF671B496]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF6719CDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF671B7FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF671BBF0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF671B296]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF671A046]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF671A230]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xF6719A8A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xF6719958]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[352] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[352] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[536] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[536] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[588] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[588] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[600] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[600] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[804] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[804] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[876] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[876] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[968] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[968] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1044] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1044] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1152] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1152] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgemc.exe[1204] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1484] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1484] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 04B05810 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 04B05740 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 04B053D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 04B016D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] USER32.dll!keybd_event 7E466783 5 Bytes JMP 04B01550 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 04B01860 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 04B01230 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 04B013C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ BE, 8C ]
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 04B050E0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgrsx.exe[1636] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 04B05260 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[1956] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00385810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00385740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003853D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003816D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00381550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00381860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00381230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 003813C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 46, 88 ]
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003850E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[2036] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00385260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\alg.exe[2652] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2652] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre6\bin\jusched.exe[2948] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] USER32.DLL!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] USER32.DLL!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] USER32.DLL!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\FYFB3\Desktop\gmer.exe[3332] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[3356] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3356] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] Explorer.EXE 01001985 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\Explorer.EXE[3764] Explorer.EXE 0100198B 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\WINDOWS\Explorer.EXE[3764] Explorer.EXE 01001993 3 Bytes [ 00, 00, 00 ]
.text C:\WINDOWS\Explorer.EXE[3764] Explorer.EXE 01001997 19 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\WINDOWS\Explorer.EXE[3764] Explorer.EXE 010019AB 20 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\WINDOWS\Explorer.EXE[3764] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[3764] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[3764] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[3952] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3952] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7448990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7448990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7448990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7448990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7448990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7448950] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7448990] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7448710] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7448770] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdHlp \Device\CFPTcpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPRawFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPUdpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\cmdHlp \Device\cmdhlp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\cmdHlp \Device\CFPIpFlt avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:02 AM

Posted 05 February 2009 - 12:02 AM

Hello, net_it
That log appears clean. Are you still having problems?

If so.. the only thing I would try first would be to remove the Comodo product installed on this machine. Comodo products patch quite a bit of the OS in memory which may have a bug causing the issues you're having.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 net_it

net_it
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 05 February 2009 - 11:38 AM

Hi Billy3 - the machine is still a bit slow when doing various things over the net (e.g. some web pages load slower than on similarly-configured machines on the same connection). I will double-check that everything is up-to-date.

I will also follow your suggestion, and try running with Comodo removed. I appreciate all your help on this, and sorry for the bother.

Many thanks again!

Is there somewhere I can give you guys a boost (e.g. a high rating), or vote for most helpful site or something?

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:02 AM

Posted 06 February 2009 - 07:52 PM

Hello, net_it
None that I know of. Several HJT team accept donations, though I personally do not. Note that BleepingComputer itself doesn't accept them.

Good luck!

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users