Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Rootkit and search redirect


  • This topic is locked This topic is locked
58 replies to this topic

#1 notsomeguy

notsomeguy

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 02 January 2010 - 09:02 PM

Hi, it seems that I have a rootkit on my computer and I'm not sure how to remove it.
I assume it started when I updated the definitions and ran the free version of adaware SE which I havn't used in a while on 12-21-09.
I didn't get the symptoms until the next morning when I started up the computer (12-22-09)

one of the more noticable problems seems to be that I get redirected to places like:

h*tp://www.cs102175.com
zanuga.com
h*tp://xmas-search.com/c.php?id=c1dbc378e8785add178e2ec34496a172&PHPSESSID=985e50a5701946fdfddc97d796faab8f
h*tp://rootalar.com/in.cgi?9¶meter=wgalogon.dll&ur=1&HTTP_REFERER=33631


the rootalar.com redirect seems to auto-download the winlogon86.exe and winupdate86.exe virus but doesn't download it if javascript is disabled.

I believe I have removed all the winlogon86 files that were created and have run spybot S&D and malwarebytes for any other files
there were 2 files that were created on 12-22-09, HLSAYI.EXE-1D3C1B92.pf and QUEFQW.EXE-150D407A.pf, which I was not familiar with so I moved them out of my prefetch folder and haven't noticed any difference

The rootrepeal log says that there is a MBR Rootkit on my C drive

used:
-spybot S&D
-malwarebytes
-gooredfix(I don't think this did anything)
-hijackthis
-LSPfix
-DDS
-RootRepeal

have not used:
-atf-cleaner to delete prefetch
-OTL
-GMER
-ComboFix

Problems:
1.google/yahoo searches sometimes redirect to various sites(like above).
2.firefox and IE seem to continually use up memory as though they have a memory leak(usually leads to #3) http://img262.imageshack.us/i/firefoxmemory.png/
3.page file usage seems higher and sometimes will continually increase (past 1 gig) http://img694.imageshack.us/i/pagefile.png/
4.services.exe uses quite a bit of memory for a couple of minutes after the computer starts up http://img694.imageshack.us/i/services.png/
5.can't use keyboard in safe mode(can use mouse,so I have use the on-screen keyboard program)

not specifically related to this new malware but still annoying:
when shutting down, will stay at 'saving your settings' screen ; essentially I have to hold down the power button to shut it down(after waiting for 30 seconds in hope it will move on to the 'shutting down your computer' part).

BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 11 January 2010 - 01:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 11 January 2010 - 12:28 PM

DDS (Ver_09-12-01.01) - NTFSx86
Run by someguy at 9:19:21.75 on Mon 01/11/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.134 [GMT -8:00]

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\xammp154a\xampp\apache\bin\apache.exe
C:\xammp154a\xampp\mysql\bin\mysqld-nt.exe
C:\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\NetLimiter 2 Pro\NLClient.exe
C:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\xammp154a\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mSearch Bar =
uInternet Settings,ProxyServer = 172.0.0.1:80
uURLSearchHooks: {4b176579-84e6-d463-c009-d898cb11f6c1} - c:\windows\system32\mrslzrtm.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Pop-Up Stopper &Companion: {8f05b1a8-9d77-4b8f-af54-6b2202066f95} - c:\pop-up stopper companion\popupus.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {F3DF2532-A2CC-48D8-8643-A033AE4FC313} - No File
TB: PimpFish Basic: {d593de91-7b41-45c2-830e-e9a99ab142aa} - c:\pimpfish\PimpFish.dll
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\imacros\imacros.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DAEMON Tools] "c:\daemon tools\daemon.exe" -lang 1033
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [2Wire Wireless Manager] "c:\2wire wireless manager\2Wire.exe" -a
mRun: [COMODO Internet Security] "c:\comodo\comodo internet security\cfp.exe" -h
dRun: [Security Accounts Manager SM] samsm.exe
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [Security Accounts Manager SM] samsm.exe
dExplorerRun: [{DCC7E335-0AE9-1033-0721-030624030001}] "c:\program files\common files\{dcc7e335-0ae9-1033-0721-030624030001}\Update.exe" ET
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: &Clean Traces - c:\dap\privacy package\dapcleanerie.htm
IE: &Download by Orbit - c:\orbitdownloader\orbitmxt.dll/201
IE: &Download with &DAP - c:\dap\dapextie.htm
IE: &Grab video by Orbit - c:\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\orbitdownloader\orbitmxt.dll/202
IE: Download &all with DAP - c:\dap\dapextie2.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\imacros\imacros.dll
Trusted Zone: csun.edu\webteach
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261559735140
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX/kdx.cab
AppInit_DLLs: c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\somegu~1.sha\applic~1\mozilla\firefox\profiles\ybrkdp3z.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 202.105.182.87
FF - prefs.js: network.proxy.http_port - 808
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Java Console: No Registry Reference - c:\firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2004-1-24 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2004-1-24 5248]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-24 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-24 25160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\comodo\comodo internet security\cmdagent.exe [2009-12-24 723632]
R3 Tetris;Tetris driver;c:\windows\system32\drivers\Tetris.sys [2005-10-13 48928]
S1 EXAMPLE;EXAMPLE;\??\c:\windows\system32\main.sys --> c:\windows\system32\main.sys [?]
S3 aliasdocserver;Alias Documentation Server;c:\maya6.0\docs\wrapper.exe -s c:\maya6.0\docs/wrapper.conf --> c:\maya6.0\docs\wrapper.exe -s c:\maya6.0\docs/Wrapper.conf [?]
S3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
S3 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 EXAMPLE1;EXAMPLE1;\??\c:\windows\system32\ksys.sys --> c:\windows\system32\ksys.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 oflpydin;oflpydin;\??\c:\docume~1\somegu~1.sha\locals~1\temp\oflpydin.sys --> c:\docume~1\somegu~1.sha\locals~1\temp\oflpydin.sys [?]
S4 PowerManager;Power Manager;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]

=============== Created Last 30 ================

2010-01-07 23:40:32 25 ----a-w- c:\windows\popcinfot.dat
2009-12-27 08:30:43 30 ----a-w- c:\windows\mgwin.ini
2009-12-27 05:08:55 0 d-----w- C:\ewido anti-malware
2009-12-25 06:35:32 0 ----a-w- c:\documents and settings\someguy.shabaminator\ntuser.tmp
2009-12-25 06:33:22 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2009-12-25 06:33:16 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-25 06:33:16 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-25 06:33:16 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-25 06:32:56 0 d-----w- C:\COMODO
2009-12-23 09:16:42 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-12-23 03:33:02 0 d-----w- c:\docume~1\somegu~1.sha\applic~1\Malwarebytes
2009-12-23 03:32:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 03:32:54 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-12-23 03:32:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 03:32:53 0 d-----w- C:\Malwarebytes
2009-12-23 01:53:49 130 ----a-w- c:\windows\cfplogvw.INI
2009-12-22 22:35:50 166881 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-22 22:29:37 0 d-----w- C:\CODOMO
2009-12-22 22:04:43 0 d-----w- C:\Spybot - Search & Destroy
2009-12-22 22:04:43 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-12-22 19:38:36 248 ----a-w- c:\windows\mgutil_win.ini
2009-12-20 02:53:23 82944 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll

==================== Find3M ====================

2009-11-29 00:34:14 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2005-07-14 18:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2007-03-03 18:12:15 1130496 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
2008-11-28 01:32:58 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008112720081128\index.dat
2008-12-03 02:06:37 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008120220081203\index.dat
2008-12-05 00:16:29 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008120420081205\index.dat
2008-12-10 01:08:59 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008120920081210\index.dat
2008-12-18 01:33:21 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008121720081218\index.dat
2008-12-19 18:20:14 49152 --sha-w- c:\windows\temp\history\history.ie5\mshist012008121920081220\index.dat
2009-01-12 06:36:01 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009011120090112\index.dat
2009-01-21 00:04:33 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009012020090121\index.dat
2009-01-31 21:18:04 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009013120090201\index.dat
2009-02-10 23:49:11 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009021020090211\index.dat
2009-02-13 18:14:47 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009021320090214\index.dat
2009-02-19 23:40:26 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009021920090220\index.dat
2009-02-21 17:15:19 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009022120090222\index.dat
2009-02-27 00:19:06 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009022620090227\index.dat
2009-03-06 00:13:32 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009030520090306\index.dat
2009-03-19 23:06:19 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009031920090320\index.dat
2009-03-21 16:55:53 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009032120090322\index.dat
2009-03-26 23:03:56 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009032620090327\index.dat
2009-04-03 05:59:54 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040220090403\index.dat
2009-04-04 19:19:55 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040420090405\index.dat
2009-04-06 15:28:26 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040620090407\index.dat
2009-04-08 14:34:05 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040820090409\index.dat
2009-04-16 23:05:51 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009041620090417\index.dat
2009-04-18 16:09:48 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009041820090419\index.dat
2009-04-21 22:55:00 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009042120090422\index.dat
2009-04-24 15:54:42 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009042420090425\index.dat
2009-04-30 23:53:24 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009043020090501\index.dat
2009-05-07 23:02:55 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009050720090508\index.dat
2009-05-09 18:54:50 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009050920090510\index.dat
2009-05-12 00:08:44 49152 --sha-w- c:\windows\temp\history\history.ie5\mshist012009051120090512\index.dat
2009-05-14 15:41:43 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009051420090515\index.dat
2009-05-21 16:24:17 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009052120090522\index.dat
2009-05-27 16:59:03 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009052720090528\index.dat
2009-07-12 17:11:47 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009071220090713\index.dat
2009-07-15 17:23:36 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009071520090716\index.dat
2009-08-11 18:38:31 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009081120090812\index.dat
2009-08-29 16:26:18 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009082920090830\index.dat
2009-09-06 15:39:41 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009090620090907\index.dat
2009-09-19 15:47:14 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009091920090920\index.dat
2009-09-21 23:28:49 49152 --sha-w- c:\windows\temp\history\history.ie5\mshist012009092120090922\index.dat
2009-09-24 23:00:49 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009092420090925\index.dat
2009-09-28 22:50:39 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009092820090929\index.dat
2009-10-03 15:37:03 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009100320091004\index.dat
2009-10-10 16:21:30 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009101020091011\index.dat

============= FINISH: 9:21:09.65 ===============

#4 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 12 January 2010 - 10:05 PM

Hello notsomeguy

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode


Please reply with the GMER log and a new DDS log.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#5 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 13 January 2010 - 01:30 PM

I ran GMER in SAFE MODE. It did not warn me about rootkit activity. After about 3 hours(after clicking scan) I stopped it since it was going to take forever to go through all my folders and had already gone through most of them as well as the windows folder which seemed good enough since it wasn't logging any new items and I'm pretty sure it scanned my documents and settings folder which is essentially everything anyway.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-13 01:07:34
Windows 5.1.2600 Service Pack 2
Running: 8z3kvdb7.exe; Driver: C:\DOCUME~1\SOMEGU~1.SHA\LOCALS~1\Temp\ugtcrpob.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF85CAB3A]
SSDT sptd.sys ZwEnumerateKey [0xF85CAC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF85CAFF6]
SSDT sptd.sys ZwOpenKey [0xF85CAA18]
SSDT sptd.sys ZwQueryKey [0xF85CB0C0]
SSDT sptd.sys ZwQueryValueKey [0xF85CAF58]
SSDT sptd.sys ZwSetValueKey [0xF85CB148]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD8877.SYS The process cannot access the file because it is being used by another process.
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F827A4D0 16 Bytes [06, 15, F7, D3, A7, 20, 42, ...]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F827A4E1 8 Bytes [90, 27, F8, 1C, E6, 86, 62, ...] {NOP ; DAA ; CLC ; SBB AL, 0xe6; XCHG [EDX+0x8], AH}
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 1A F827A4EA 22 Bytes [39, 83, 27, 25, 29, DA, 7E, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\winlogon.exe[312] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[312] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] SHELL32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] SHELL32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] SHELL32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] SHELL32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[376] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[376] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[388] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\lsass.exe[388] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] SHELL32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] SHELL32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] SHELL32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[388] SHELL32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] SHELL32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] SHELL32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] SHELL32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] SHELL32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[540] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[540] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] SHELL32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] SHELL32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] SHELL32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] SHELL32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[588] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[588] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] SHELL32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] SHELL32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] SHELL32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] SHELL32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[616] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] WININET.dll!InternetConnectA 42C2498A 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] WININET.dll!InternetConnectW 42C25B78 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] SHELL32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] SHELL32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] SHELL32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] SHELL32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[852] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[852] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!GetModuleHandleA 7C80B6A1 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!GetModuleHandleW 7C80E43D 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CopyFileW 7C82F873 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!DeleteFileA 7C831EAB 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!DeleteFileW 7C831F31 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!MoveFileExW 7C83565B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!MoveFileA 7C835E8F 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!MoveFileWithProgressA 7C835EAE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!MoveFileExA 7C85D4C3 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!CopyFileExA 7C85E3C4 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] kernel32.dll!LoadModule 7C86147E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] shell32.dll!ShellExecuteExW 7CA017DB 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] shell32.dll!ShellExecuteEx 7CA40BB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] shell32.dll!ShellExecuteA 7CA40EE0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\8z3kvdb7.exe[1020] shell32.dll!ShellExecuteW 7CAB4F10 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F85D3DB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F85E971E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F85D43B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F85D42B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F85D4482] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F85E9032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F85D3F6E] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F85E9864] sptd.sys
IAT \WINDOWS\System32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F85D8F78] sptd.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F85E8C76] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F85E8C82] sptd.sys
IAT \SystemRoot\System32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F85E9864] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8338CA40
Device \FileSystem\Fastfat \FatCdrom 830E10E8
Device \FileSystem\Fastfat \FatCdrom 82FD29B4
Device \Driver\Ftdisk \Device\HarddiskVolume1 833D7550
Device \Driver\Ftdisk \Device\HarddiskVolume2 833D7550
Device \Driver\Cdrom \Device\CdRom0 83329450
Device \Driver\Cdrom \Device\CdRom1 83329450
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8332B3B0
Device \Driver\atapi \Device\Ide\IdePort0 8332B3B0
Device \Driver\atapi \Device\Ide\IdePort1 8332B3B0
Device \Driver\atapi \Device\Ide\IdePort2 8332B3B0
Device \Driver\atapi \Device\Ide\IdePort3 8332B3B0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b 8332B3B0
Device \Driver\Disk \Device\Harddisk0\DR0 8338CC78
Device \Driver\00000449 \Device\0000005e sptd.sys
Device \FileSystem\Npfs \Device\NamedPipe 831390E8
Device \Driver\Ftdisk \Device\FtControl 833D7550
Device \FileSystem\Msfs \Device\Mailslot 83361790
Device \FileSystem\Msfs \Device\Mailslot 83144924
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 83267F00
Device \Driver\dtscsi \Device\Scsi\dtscsi1 83267F00
Device \FileSystem\Fastfat \Fat 830E10E8
Device \FileSystem\Fastfat \Fat 82FD29B4
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8313A0D4
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8313A0D4
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8313A0D4
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8313A0D4
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8313A0D4
Device \FileSystem\Cdfs \Cdfs 83001D20

---- Modules - GMER 1.0.15 ----

Module _________ F8514000-F852C000 (98304 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:284] 83033EAB

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xC4 0xB5 0xC0 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAB 0xAE 0x41 0xAD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x8A 0x3F 0x8E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7D 0xC4 0xB5 0xC0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAB 0xAE 0x41 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x8A 0x3F 0x8E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x75 0x03 0x08 0xD2 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAB 0xAE 0x41 0xAD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x11 0xA8 0x54 0x8C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x63 0x81 0x0E 0xCA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x57 0x47 0xFE 0xFD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 2047760154
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1558582356
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -876679269
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x75 0x03 0x08 0xD2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAB 0xAE 0x41 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x11 0xA8 0x54 0x8C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x63 0x81 0x0E 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x57 0x47 0xFE 0xFD ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x75 0x03 0x08 0xD2 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xAB 0xAE 0x41 0xAD ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x11 0xA8 0x54 0x8C ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x63 0x81 0x0E 0xCA ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x57 0x47 0xFE 0xFD ...
Reg HKLM\SOFTWARE\Classes\.application\bootstrap@ bootstrap.application.1
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x1B 0xE5 0x88 0x34 ...



DDS (Ver_09-12-01.01) - NTFSx86
Run by someguy at 10:16:54.54 on Wed 01/13/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.158 [GMT -8:00]

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\xammp154a\xampp\apache\bin\apache.exe
C:\xammp154a\xampp\mysql\bin\mysqld-nt.exe
C:\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Logitech\SetPoint\SetPoint.exe
C:\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\xammp154a\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ready to delete\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mSearch Bar =
uInternet Settings,ProxyServer = 172.0.0.1:80
uURLSearchHooks: {4b176579-84e6-d463-c009-d898cb11f6c1} - c:\windows\system32\mrslzrtm.dll
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
TB: Pop-Up Stopper &Companion: {8f05b1a8-9d77-4b8f-af54-6b2202066f95} - c:\pop-up stopper companion\popupus.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {F3DF2532-A2CC-48D8-8643-A033AE4FC313} - No File
TB: PimpFish Basic: {d593de91-7b41-45c2-830e-e9a99ab142aa} - c:\pimpfish\PimpFish.dll
EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\imacros\imacros.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DAEMON Tools] "c:\daemon tools\daemon.exe" -lang 1033
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [2Wire Wireless Manager] "c:\2wire wireless manager\2Wire.exe" -a
mRun: [COMODO Internet Security] "c:\comodo\comodo internet security\cfp.exe" -h
dRun: [Security Accounts Manager SM] samsm.exe
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [Security Accounts Manager SM] samsm.exe
dExplorerRun: [{DCC7E335-0AE9-1033-0721-030624030001}] "c:\program files\common files\{dcc7e335-0ae9-1033-0721-030624030001}\Update.exe" ET
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: &Clean Traces - c:\dap\privacy package\dapcleanerie.htm
IE: &Download by Orbit - c:\orbitdownloader\orbitmxt.dll/201
IE: &Download with &DAP - c:\dap\dapextie.htm
IE: &Grab video by Orbit - c:\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\orbitdownloader\orbitmxt.dll/202
IE: Download &all with DAP - c:\dap\dapextie2.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\aim\aim.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\imacros\imacros.dll
Trusted Zone: csun.edu\webteach
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261559735140
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX/kdx.cab
AppInit_DLLs: c:\windows\system32\guard32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\somegu~1.sha\applic~1\mozilla\firefox\profiles\ybrkdp3z.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 202.105.182.87
FF - prefs.js: network.proxy.http_port - 808
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Java Console: No Registry Reference - c:\firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2004-1-24 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2004-1-24 5248]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-12-24 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-12-24 25160]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\comodo\comodo internet security\cmdagent.exe [2009-12-24 723632]
R3 Tetris;Tetris driver;c:\windows\system32\drivers\Tetris.sys [2005-10-13 48928]
S1 EXAMPLE;EXAMPLE;\??\c:\windows\system32\main.sys --> c:\windows\system32\main.sys [?]
S3 aliasdocserver;Alias Documentation Server;c:\maya6.0\docs\wrapper.exe -s c:\maya6.0\docs/wrapper.conf --> c:\maya6.0\docs\wrapper.exe -s c:\maya6.0\docs/Wrapper.conf [?]
S3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 ccPwdSvc;Symantec Password Validation;"c:\program files\common files\symantec shared\ccpwdsvc.exe" --> c:\program files\common files\symantec shared\ccPwdSvc.exe [?]
S3 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 EXAMPLE1;EXAMPLE1;\??\c:\windows\system32\ksys.sys --> c:\windows\system32\ksys.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 oflpydin;oflpydin;\??\c:\docume~1\somegu~1.sha\locals~1\temp\oflpydin.sys --> c:\docume~1\somegu~1.sha\locals~1\temp\oflpydin.sys [?]
S4 PowerManager;Power Manager;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]

=============== Created Last 30 ================

2010-01-07 23:40:32 25 ----a-w- c:\windows\popcinfot.dat
2009-12-27 08:30:43 30 ----a-w- c:\windows\mgwin.ini
2009-12-27 05:08:55 0 d-----w- C:\ewido anti-malware
2009-12-25 06:35:32 0 ----a-w- c:\documents and settings\someguy.shabaminator\ntuser.tmp
2009-12-25 06:33:22 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2009-12-25 06:33:16 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-25 06:33:16 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-25 06:33:16 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-25 06:32:56 0 d-----w- C:\COMODO
2009-12-23 09:16:42 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-12-23 03:33:02 0 d-----w- c:\docume~1\somegu~1.sha\applic~1\Malwarebytes
2009-12-23 03:32:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 03:32:54 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-12-23 03:32:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 03:32:53 0 d-----w- C:\Malwarebytes
2009-12-23 01:53:49 130 ----a-w- c:\windows\cfplogvw.INI
2009-12-22 22:35:50 166881 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-22 22:29:37 0 d-----w- C:\CODOMO
2009-12-22 22:04:43 0 d-----w- C:\Spybot - Search & Destroy
2009-12-22 22:04:43 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2009-12-22 19:38:36 248 ----a-w- c:\windows\mgutil_win.ini
2009-12-20 02:53:23 82944 -c--a-w- c:\windows\system32\dllcache\ws2_32.dll

==================== Find3M ====================

2009-11-29 00:34:14 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2005-07-14 18:31:20 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2007-03-03 18:12:15 1130496 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
2008-11-28 01:32:58 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008112720081128\index.dat
2008-12-03 02:06:37 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008120220081203\index.dat
2008-12-05 00:16:29 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008120420081205\index.dat
2008-12-10 01:08:59 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008120920081210\index.dat
2008-12-18 01:33:21 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012008121720081218\index.dat
2008-12-19 18:20:14 49152 --sha-w- c:\windows\temp\history\history.ie5\mshist012008121920081220\index.dat
2009-01-12 06:36:01 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009011120090112\index.dat
2009-01-21 00:04:33 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009012020090121\index.dat
2009-01-31 21:18:04 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009013120090201\index.dat
2009-02-10 23:49:11 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009021020090211\index.dat
2009-02-13 18:14:47 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009021320090214\index.dat
2009-02-19 23:40:26 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009021920090220\index.dat
2009-02-21 17:15:19 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009022120090222\index.dat
2009-02-27 00:19:06 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009022620090227\index.dat
2009-03-06 00:13:32 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009030520090306\index.dat
2009-03-19 23:06:19 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009031920090320\index.dat
2009-03-21 16:55:53 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009032120090322\index.dat
2009-03-26 23:03:56 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009032620090327\index.dat
2009-04-03 05:59:54 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040220090403\index.dat
2009-04-04 19:19:55 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040420090405\index.dat
2009-04-06 15:28:26 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040620090407\index.dat
2009-04-08 14:34:05 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009040820090409\index.dat
2009-04-16 23:05:51 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009041620090417\index.dat
2009-04-18 16:09:48 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009041820090419\index.dat
2009-04-21 22:55:00 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009042120090422\index.dat
2009-04-24 15:54:42 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009042420090425\index.dat
2009-04-30 23:53:24 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009043020090501\index.dat
2009-05-07 23:02:55 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009050720090508\index.dat
2009-05-09 18:54:50 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009050920090510\index.dat
2009-05-12 00:08:44 49152 --sha-w- c:\windows\temp\history\history.ie5\mshist012009051120090512\index.dat
2009-05-14 15:41:43 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009051420090515\index.dat
2009-05-21 16:24:17 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009052120090522\index.dat
2009-05-27 16:59:03 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009052720090528\index.dat
2009-07-12 17:11:47 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009071220090713\index.dat
2009-07-15 17:23:36 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009071520090716\index.dat
2009-08-11 18:38:31 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009081120090812\index.dat
2009-08-29 16:26:18 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009082920090830\index.dat
2009-09-06 15:39:41 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009090620090907\index.dat
2009-09-19 15:47:14 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009091920090920\index.dat
2009-09-21 23:28:49 49152 --sha-w- c:\windows\temp\history\history.ie5\mshist012009092120090922\index.dat
2009-09-24 23:00:49 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009092420090925\index.dat
2009-09-28 22:50:39 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009092820090929\index.dat
2009-10-03 15:37:03 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009100320091004\index.dat
2009-10-10 16:21:30 32768 --sha-w- c:\windows\temp\history\history.ie5\mshist012009101020091011\index.dat

============= FINISH: 10:18:20.01 ===============



#6 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 16 January 2010 - 09:11 PM

since you haven't replied in 3 days I ran GMER again in safe mode until it completed (which took 6 hours). Still didn't recieve a warning about any rootkit activity. The GMER and DDS are both attached since it made the post too long. I also noticed that I sometimes get bluescreened from NDIS.sys with the message 'invalid work queue item' or 'irql not or less or equal'

#7 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 17 January 2010 - 09:12 AM

Hello notsomeguy,

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
If it asks you, please install the Windows Recovery Console (internet connection required).
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new DDS log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



Please reply with the Combofix log and a new DDS log.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#8 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 17 January 2010 - 04:11 PM

alright, the first time I ran combofix it did a bunch of stuff and deleted some folders and was at the part where it was creating a log file but then I got bluescreened with 'invalid work queue item' from NDIS.sys and there wasn't really anything in the log file.

The next time I ran it, it said ws2_32.dll was infected and was trying to fix it or something but never said it was going to create a log file.

here's the log file from the first time it ran

ComboFix 10-01-16.04 - someguy 01/17/2010 12:38:47.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.160 [GMT -8:00]
Running from: C:\Documents and Settings\someguy.SHABAMINATOR\Desktop\ComboFix.exe
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.


I don't know if it has any effect on combofix but I still have to manually shutdown because it gets stuck on 'saving your settings'

I'll try to run it again right now and see if I can get a new log

EDIT:
I ran it again and it still says ws2_32.dll is infected and tries to resore it. It also does not show the log creation screen anymore. Virtual drives are still disabled too.

Edited by notsomeguy, 17 January 2010 - 05:05 PM.


#9 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 18 January 2010 - 10:07 PM

Hello notsomeguy,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ws2_32.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#10 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 19 January 2010 - 12:29 AM

do you need anything from the C:\Qoobox folder which I assume to be the combofix quarantine folder

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:16 on 18/01/2010 by someguy (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\I386\WS2_32.DLL --a--c 75264 bytes [04:11 20/09/2003] [10:00 29/08/2002] 8529C295DF59B564D37A73B5629162B1
C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll -----c 70656 bytes [03:17 27/08/2004] [20:19 10/07/2003] 06BF1D3C21274F92DDD0E09317C80B35
C:\WINDOWS\$NtUninstallKB817778$\ws2_32.dll -----c 75264 bytes [03:14 22/01/2004] [17:14 03/09/2002] 8529C295DF59B564D37A73B5629162B1
C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll --a--c 82944 bytes [07:56 04/08/2004] [07:56 04/08/2004] 04730ED9E4A673E415E849B986DD5844
C:\WINDOWS\SYSTEM32\ws2_32.dll --a--- 82944 bytes [20:19 10/07/2003] [07:56 04/08/2004] 04730ED9E4A673E415E849B986DD5844

-=End Of File=-

#11 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 19 January 2010 - 11:22 PM

Hello notsomeguy,

The C:/Qoobox folder is ComboFix's quarantine folder, we can leave that be for now.

We are going to replace the ws2_32.dll file.
  • Go to Start > Run. Copy and paste the following line in the run box and press Enter:

    cmd /c copy /y C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll c:\ >log.txt&log.txt

    A text file should opens up with " 1 file(s) copied" in it.
  • Download The Avenger by Swandog46 from here.
    • Unzip/extract it to a folder on your desktop.
    • Double click on avenger.exe to run The Avenger.
    • Click OK.
    • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
    • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
      Files to move:
      c:\ws2_32.dll | c:\windows\system32\ws2_32.dll
    • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
    • Click the Execute button.
    • You will be asked Are you sure you want to execute the current script?.
    • Click Yes.
    • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
    • Click Yes.
    • Your PC will now be rebooted.
    • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
    • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
    • Please post this log, along with a new DDS log in your next reply.
  • Please run Combofix with the same setting again and post the content of its log.

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#12 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 20 January 2010 - 10:19 PM

here is the avenger log in quote tags, the combofix log after, and the DDS attached
I ran them in that order as well.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Jan 20 18:10:36 2010

18:10:24: Error: can't seek on file descriptor 3 (error 131: an attempt was made to move the file pointer before the beginning of the file.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\ws2_32.dll|c:\windows\system32\ws2_32.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


ComboFix 10-01-20.04 - someguy 01/20/2010 18:28:40.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.167 [GMT -8:00]
Running from: c:\documents and settings\someguy.SHABAMINATOR\Desktop\ComboFix.exe
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dllcache\ieframe.dll.mui

-- Previous Run --

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
c:\windows\system32\ws2_32.dll . . . is infected!!

-- Previous Run --

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
c:\windows\system32\ws2_32.dll . . . is infected!!

--------

c:\windows\system32\ws2_32.dll . . . is infected!!

-- Previous Run --

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
c:\windows\system32\ws2_32.dll . . . is infected!!

-- Previous Run --

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :step1:
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :step1:
c:\windows\system32\ws2_32.dll . . . is infected!!

--------

c:\windows\system32\ws2_32.dll . . . is infected!!

--------

c:\windows\system32\ws2_32.dll . . . is infected!!

--------

c:\windows\system32\ws2_32.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXAMPLE
-------\Legacy_EXAMPLE1
-------\Legacy_POWERMANAGER
-------\Service_EXAMPLE
-------\Service_EXAMPLE1
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-16 20:24 . 2010-01-16 20:24 54016 ----a-w- c:\windows\system32\drivers\axdd.sys
2010-01-07 23:40 . 2010-01-07 23:40 25 ----a-w- c:\windows\popcinfot.dat
2009-12-25 06:33 . 2009-12-25 06:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2009-12-25 06:33 . 2009-12-25 06:33 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-25 06:33 . 2009-12-25 06:33 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-25 06:33 . 2009-12-25 06:33 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-25 06:33 . 2009-12-25 06:33 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-25 06:32 . 2009-12-25 06:33 -------- d-----w- C:\COMODO
2009-12-23 03:33 . 2009-12-23 03:33 -------- d-----w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\Malwarebytes
2009-12-23 03:32 . 2010-01-08 00:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-23 03:32 . 2009-12-23 03:32 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-12-23 03:32 . 2010-01-10 05:09 -------- d-----w- C:\Malwarebytes
2009-12-23 03:32 . 2010-01-08 00:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 22:35 . 2009-12-23 01:53 166881 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-12-22 22:04 . 2009-12-26 23:06 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-12-22 22:04 . 2009-12-26 22:22 -------- d-----w- C:\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 02:44 . 2009-12-25 06:35 0 ----a-w- c:\documents and settings\someguy.SHABAMINATOR\ntuser.tmp
2010-01-19 22:07 . 2009-11-07 01:09 -------- d-----w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\vlc
2010-01-17 01:50 . 2004-05-31 20:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-15 19:28 . 2007-08-14 03:41 -------- d-----w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\Orbit
2010-01-15 06:52 . 2007-05-23 03:29 -------- d-----w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\uTorrent
2010-01-10 05:09 . 2009-12-31 08:47 5115824 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-27 18:45 . 2003-09-10 10:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-27 06:07 . 2006-02-21 23:28 34472 -c--a-w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 03:31 . 2006-12-06 16:38 -------- d-----w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\U3
2009-12-09 19:53 . 2004-02-07 21:10 34472 ----a-w- c:\documents and settings\someguy.SHABAMINATOR\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-09 19:42 . 2009-12-09 19:36 -------- d-----w- c:\program files\TI Education
2009-12-09 19:36 . 2009-12-09 19:36 -------- d-----w- c:\program files\Common Files\TI Shared
2009-11-29 00:34 . 2004-07-22 18:59 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-11-02 17:15 . 2009-11-02 17:15 138240 ----a-w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-11-02 17:15 . 2009-11-02 17:15 138240 ----a-w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-11-02 17:15 . 2009-11-02 17:15 138240 ----a-w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-11-02 17:15 . 2009-11-02 17:15 138240 ----a-w- c:\documents and settings\someguy.SHABAMINATOR\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2005-07-14 18:31 . 2006-05-24 16:37 27648 --sha-w- c:\windows\SYSTEM32\AVSredirect.dll
.

------- Sigcheck -------

[-] 2004-08-04 . 04730ED9E4A673E415E849B986DD5844 . 82944 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2004-08-04 . 04730ED9E4A673E415E849B986DD5844 . 82944 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ws2_32.dll
[-] 2003-07-10 . 06BF1D3C21274F92DDD0E09317C80B35 . 70656 . . [5.1.2600.1240] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2002-09-03 . 8529C295DF59B564D37A73B5629162B1 . 75264 . . [5.1.2600.0] . . c:\windows\$NtUninstallKB817778$\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-07-23 28160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"2Wire Wireless Manager"="c:\2wire wireless manager\2Wire.exe" [2007-10-02 61440]
"COMODO Internet Security"="c:\comodo\COMODO Internet Security\cfp.exe" [2009-12-25 1800464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-9-20 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\logitech\SetPoint\SetPoint.exe [2006-12-26 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Seom"=c:\documents and settings\someguy.SHABAMINATOR\Application Data\nser.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"Steam"=
"Aim6"=
"<NO NAME>"=
"PopUpStopperProfessional"="c:\pop-up~2\POPUPS~1.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent"=c:\winamp\winampa.exe
"WildTangent CDA"=RUNDLL32.exe "c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"CloneCDTray"="c:\clonecd\CloneCDTray.exe" /s
"Symantec NetDriver Monitor"=c:\progra~1\SYMNET~1\SNDMon.exe /Consumer
"YBrowser"=c:\program files\Yahoo!\browser\ybrwicon.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe"
"IPInSightMonitor 01"="c:\program files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe"
"MXO Auto Loader"=c:\windows\MXOALDR.EXE
"QuickTime Task"="c:\quicktime\qttask.exe" -atboottime
"MaxtorOneTouch"=c:\onetouch\Utils\OneTouch.exe
"smss32.exe"=c:\windows\system32\smss32.exe
"DAEMON Tools"="c:\daemon tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\SYSTEM32\\javaw.exe"=
"c:\\WS_FTP Pro\\wsftppro.exe"=
"c:\\Steam\\Steam.exe"=
"c:\\DAP\\DAP.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpnsvr.exe"=
"c:\\yugiohgame\\YUGIOHPC\\joey_pc.exe"=
"c:\\snes\\snes9x.exe"=
"c:\\Firefox\\firefox.exe"=
"c:\\AIM\\aim.exe"=
"c:\\xammp154a\\xampp\\apache\\bin\\apache.exe"=
"c:\\xammp154a\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\xammp154a\\xampp\\mysql\\bin\\mysqld-nt.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\someguy.SHABAMINATOR\\Desktop\\A\\utorrent.exe"=
"c:\\Orbitdownloader\\orbitnet.exe"=
"c:\\Steam\\SteamApps\\eikredask@hotmail.com\\team fortress 2\\hl2.exe"=
"c:\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\NetSupport School\\PCINSSUI.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"8632:TCP"= 8632:TCP:Services
"7365:TCP"= 7365:TCP:Services
"2257:TCP"= 2257:TCP:Services

R0 xmasbus;xmasbus;c:\windows\SYSTEM32\DRIVERS\xmasbus.sys [1/24/2004 8:36 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\SYSTEM32\DRIVERS\xmasscsi.sys [1/24/2004 8:36 PM 5248]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [12/24/2009 10:33 PM 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [12/24/2009 10:33 PM 25160]
R1 nltdi;nltdi;c:\windows\SYSTEM32\DRIVERS\nltdi.sys [4/23/2007 3:03 AM 82200]
R3 Tetris;Tetris driver;c:\windows\SYSTEM32\DRIVERS\Tetris.sys [10/13/2005 1:08 PM 48928]
S3 aliasdocserver;Alias Documentation Server;c:\maya6.0\docs\Wrapper.exe -s c:\maya6.0\docs/Wrapper.conf --> c:\maya6.0\docs\Wrapper.exe -s c:\maya6.0\docs/Wrapper.conf [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [1/25/2007 9:31 AM 42000]
S3 oflpydin;oflpydin;\??\c:\docume~1\SOMEGU~1.SHA\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\SOMEGU~1.SHA\LOCALS~1\Temp\oflpydin.sys [?]
S4 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/16/2005 2:19 PM 642560]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar =
uInternet Settings,ProxyServer = 172.0.0.1:80
IE: &Clean Traces - c:\dap\Privacy Package\dapcleanerie.htm
IE: &Download by Orbit - c:\orbitdownloader\orbitmxt.dll/201
IE: &Download with &DAP - c:\dap\dapextie.htm
IE: &Grab video by Orbit - c:\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\orbitdownloader\orbitmxt.dll/202
IE: Download &all with DAP - c:\dap\dapextie2.htm
Trusted Zone: csun.edu\webteach
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\someguy.SHABAMINATOR\Application Data\Mozilla\Firefox\Profiles\ybrkdp3z.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.http - 202.105.182.87
FF - prefs.js: network.proxy.http_port - 808
FF - prefs.js: network.proxy.type - 4
FF - component: c:\firefox\components\xpinstal.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{4B176579-84E6-D463-C009-D898CB11F6C1} - c:\windows\system32\mrslzrtm.dll
WebBrowser-{F3DF2532-A2CC-48D8-8643-A033AE4FC313} - (no file)
HKU-Default-Run-Security Accounts Manager SM - samsm.exe
HKU-Default-RunOnce-Security Accounts Manager SM - samsm.exe
HKU-Default-Explorer_Run-{DCC7E335-0AE9-1033-0721-030624030001} - c:\program files\Common Files\{DCC7E335-0AE9-1033-0721-030624030001}\Update.exe
AddRemove-AdobeESD - c:\program files\Common Files\Adobe\ESD\uninst.exe
AddRemove-Battle.net - c:\windows\bnetunin.exe
AddRemove-Call of Duty - c:\callof~1\Uninstall\Unwise.exe
AddRemove-FruityLoops Studio Producer Edition v5.02 - c:\flstud~1\UNWISE.EXE
AddRemove-HaaliMkx - c:\matroska pack\haali\uninstall.exe
AddRemove-Maya 6.0 Documentation Server - c:\maya6.0\docs\UninstallerData\Uninstall Maya 6.0 Documentation Server.exe
AddRemove-Natural Selection_is1 - c:\steam\steamapps\v1g1lante9@msn.com\half-life\unins000.exe
AddRemove-StepMania CVS - c:\stepmania cvs\uninst.exe
AddRemove-UnrealTournament - c:\unrealtournament\System\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-20 18:47
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x833A4A58]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf887afc3
\Driver\ACPI -> ACPI.sys @ 0xf87cacb8
\Driver\atapi -> 0x833a4a58
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0094
ParseProcedure -> ntoskrnl.exe @ 0x8056f08e
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0094
ParseProcedure -> ntoskrnl.exe @ 0x8056f08e
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
"ImagePath"="\??\H:\Stubbs the Zombie - Rebel Without A Pulse
backup\starbleep_de\program\zlportio.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\zlportio]
"ImagePath"="\??\H:\Stubbs the Zombie - Rebel Without A Pulse
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-436374069-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,15,4f,55,4f,75,87,08,4b,61,6a,4e,87,14,f9,2c,14,17,1b,f5,60,19,af,
76,cd,aa,81,fb,d6,15,36,65,47,ee,67,45,d7,10,bf,d5,c2,74,f0,48,8e,c9,12,5e,\
"??"=hex:e0,80,64,9f,a6,1d,05,93,8a,73,3c,7f,4d,d1,6e,4a

[HKEY_USERS\S-1-5-21-1644491937-436374069-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:4e,26,4b,38,ec,44,d5,f4,58,75,a2,2a,e0,71,3d,37,7a,3c,f2,d1,ba,
49,67,b3,ee,df,c3,96,43,1b,aa,62,e3,9d,3e,06,b3,a9,d2,4d,3d,e2,f8,b5,c2,6e,\
"rkeysecu"=hex:fd,53,52,02,d7,d6,d1,ac,a6,49,19,30,46,26,8d,f6

[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:1b,e5,88,34,28,93,a8,95,40,31,3a,16,d6,b2,4e,96,ce,92,81,af,b9,
2e,89,d5,ea,16,eb,56,68,4e,49,6d,fb,89,ae,46,20,b5,93,c9,98,9d,47,fa,e6,25,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:1b,e5,88,34,28,93,a8,95,40,31,3a,16,d6,b2,4e,96,ce,92,81,af,b9,
2e,89,d5,ea,16,eb,56,68,4e,49,6d,fb,89,ae,46,20,b5,93,c9,98,9d,47,fa,e6,25,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4880)
c:\logitech\SetPoint\KEMHook.dll
c:\logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\comodo\COMODO Internet Security\cmdagent.exe
c:\xammp154a\xampp\apache\bin\apache.exe
c:\xammp154a\xampp\mysql\bin\mysqld-nt.exe
c:\netlimiter 2 pro\nlsvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\xammp154a\xampp\apache\bin\apache.exe
c:\windows\system32\wscntfy.exe
c:\netlimiter 2 pro\NLClient.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-01-20 19:04:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-21 03:04

Pre-Run: 12,269,109,248 bytes free
Post-Run: 12,229,337,088 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 35C2DD0750D34A3F07E94B85D4305D1D

#13 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 21 January 2010 - 01:32 PM

Hello notsomeguy

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\SYSTEM32\ws2_32.dll
c:\windows\system32\drivers\axdd.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#14 notsomeguy

notsomeguy
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:48 AM

Posted 21 January 2010 - 02:26 PM

here are the ws2_32.dll results.

http://virusscan.jotti.org/en/scanresult/c...fd7e3b68e3d277a

It did not find anything in axdd.sys

#15 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:03:48 AM

Posted 22 January 2010 - 09:19 PM

Hello notsomeguy,

We are going to replace the ws2_32.dll file again.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
C:\I386\WS2_32.DLL | c:\windows\ServicePackFiles\i386\ws2_32.dll
C:\I386\WS2_32.DLL | c:\windows\SYSTEM32\ws2_32.dll
C:\I386\WS2_32.DLL | c:\windows\$NtServicePackUninstall$\ws2_32.dll
C:\I386\WS2_32.DLL | c:\windows\$NtUninstallKB817778$\ws2_32.dll


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users