Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Shamoon Disk-Wiping Malware Re-emerges with Two New Variants

Featured Deal: Get 91% off The ReactJS Programming Bootcamp Deal

Photo

Infected with TR/FraudPack.amau, TROJ_BRDOLAB.SMF and Trojan.Dropper

Started by vsquared2 , Feb 23 2010 11:39 PM

  • This topic is locked This topic is locked
39 replies to this topic

#1 vsquared2

vsquared2

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 23 February 2010 - 11:39 PM

Hello,

I just literally got over an infected computer at our office two weeks ago and we ended up having to wipe the drive clean - data was saved but what a pain - and syler from bleeping computer was kind enough to reply to my problem and now I'm back mad.gif because my home computer is now infected!

Avira keeps popping up saying (well twice) saying I've got "TR/FraudPack.amau Trojan" in a series of four locations. The first time my husband was at the computer and hit "deny" and then he got the BSOD. I restarted (can't remember if it was safe mode or normal and it was just yesterday wacko.gif ) and ran Trend Micro's Housecall - which found 2 infected files "TROJ_BRDOLAB". I fixed them, then ran a quick MWAB scan which didn't find anything. All the while my computer was acting strange, freezing up and making a loud noise. I could only power down with the button. I told Avira to quarantine the files and haven't seen them since, however, on another scan with Housecall it found the same two infected files again (TROJ_BRDOLAB), so I fixed them, again! I then did a full scan last night with MWAB which took a mere 14-and-a-half hours and it found 7 files infected by "Trojan.Dropper". And then today I had a weird, round, blue gun scope like looking target icon appear on my desktop. I was afraid to click on it so I didn't, but one of my scans apparently got rid of it.

I then logged back onto bleeping computer and in following the "preparation guide" I couldn't get through more than one scan at a time before I had to crash restart my computer. I was running GMER and after an hour-and-a-half noticed that it too froze and my clock had not advanced. Another crash restart and GMER ran for another 5 hours. I finally stopped and saved it, as the results looked no different than they did after the first freeze. That is what is attached.

Also, a System Configuration Utility dialog box comes up at every restart saying I've changed my startup mode to selective startup from normal. Perhaps I made this happen in trying to stop so many things from running in the startup? - or perhaps not? It wasn't coming up yesterday - only today.

I'm just not sure what to do next. I was so excited too because I finally bought acronis (after the incident at work) which I've been meaning to do for some time and now boom!!!

DDS (Ver_09-12-01.01) - NTFSx86
Run by Me at 12:25:57.75 on Tue 02/23/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2746 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Vance\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.sbc.com/dsl
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PowerBar]
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [PRISMSTA.EXE] "c:\windows\PRISMSTA.EXE" /START
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [MXOBG] c:\windows\MXOALDR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\vance\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\vance\startm~1\programs\startup\speedf~1.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171162699359
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171242327531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vance\applic~1\mozilla\firefox\profiles\lfjw5c8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [2001-10-29 23120]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-10-19 11608]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-2-23 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-2-23 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-19 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-10-19 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-10-19 56816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-2-23 723632]
R3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [2008-3-2 182528]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2010-1-1 2077840]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2006-7-8 13626]
S3 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [2001-11-13 214192]
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;c:\windows\system32\zlportio.sys [2009-2-22 4016]

=============== Created Last 30 ================

2010-02-23 17:22:46 0 ----a-w- c:\documents and settings\vance\defogger_reenable
2010-02-23 16:58:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo
2010-02-23 16:57:56 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-23 16:57:56 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-23 16:57:56 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-23 16:57:46 0 d-----w- c:\program files\COMODO
2010-02-23 01:14:45 0 d-----w- c:\program files\VS Revo Group
2010-02-12 19:28:27 0 d-----w- c:\program files\VTech
2010-02-05 18:56:34 0 d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2010-02-04 16:30:53 0 d-----w- c:\docume~1\vance\applic~1\Malwarebytes
2010-02-04 16:30:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 16:30:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-04 16:30:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-02 16:02:46 23110 ----a-w- c:\windows\hpqins15.dat
2010-01-29 17:40:52 0 d-----w- c:\program files\YouSendIt
2010-01-25 01:13:36 0 d-sh--w- c:\windows\ftpcache
2010-01-25 01:12:35 0 d-----w- c:\program files\Nick Jr. Arcade

==================== Find3M ====================

2010-01-12 15:43:32 77374 ----a-w- c:\windows\hpqins05.dat
2009-12-26 03:59:33 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-30 23:02:40 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 23:02:38 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-08-26 02:25:04 1277680 ----a-w- c:\program files\couponprinter.exe
2004-03-11 17:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-01-07 19:32:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010720090108\index.dat

============= FINISH: 12:26:36.68 ===============


Attached Files


BC AdBot (Login to Remove)

 

#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,604 posts
  • ONLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:08:42 PM

Posted 26 February 2010 - 01:01 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif

#3 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 27 February 2010 - 12:06 PM

Hi Elise,

Thanks so much for taking a look. I'm still having problems. It seems I'm able to stay online, but when I try to do much else, my computer keeps freezing up and I have to crash restart every 20 minutes or so. Avira has found the TR/FraudPack.amau one more time since my original post, but I haven't been running others while waiting for a response from bleeping computer. As requested, here are update logs. Since the post was too long, I'm going to attach the extras log. And then try to add another reply with just the gmer log as it's too large and the upload keeps failing.

OTL:
OTL logfile created on: 2/26/2010 9:41:53 PM - Run 1
OTL by OldTimer - Version 3.1.30.3 Folder = C:\Documents and Settings\Vance\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 82.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 32.80 Gb Free Space | 22.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive M: | 233.76 Gb Total Space | 192.02 Gb Free Space | 82.15% Space Free | Partition Type: NTFS
Drive V: | 465.76 Gb Total Space | 465.67 Gb Free Space | 99.98% Space Free | Partition Type: NTFS

Computer Name: FLYER
Current User Name: Vance
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/26 21:39:04 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Vance\Desktop\OTL.exe
PRC - [2010/02/23 11:57:42 | 000,723,632 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2010/02/23 11:57:37 | 001,800,464 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2009/10/09 13:11:12 | 025,623,336 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe
PRC - [2009/10/09 13:11:12 | 000,078,008 | R--- | M] (Skype Technologies) -- C:\Program Files\Skype\Plugin Manager\skypePM.exe
PRC - [2009/09/22 09:51:44 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/17 14:24:10 | 000,713,744 | ---- | M] (Microsoft Corporation
) -- C:\WINDOWS\vVX6000.exe
PRC - [2009/03/17 14:24:06 | 000,161,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2009/03/10 14:28:42 | 000,094,208 | ---- | M] (Cypress Semiconductor) -- C:\WINDOWS\MXOALDR.EXE
PRC - [2009/03/02 12:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/08/20 21:05:56 | 000,573,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2008/05/16 01:39:00 | 016,862,720 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/07/17 10:13:56 | 000,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2007/07/17 10:13:34 | 000,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PRC - [2006/09/07 12:19:27 | 000,015,872 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2005/11/28 11:11:36 | 000,229,376 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2004/05/17 13:33:10 | 000,106,557 | ---- | M] () -- C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
PRC - [2004/05/15 20:10:00 | 000,339,968 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2004/02/28 01:30:34 | 000,020,548 | ---- | M] (Apache Software Foundation) -- C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe


========== Modules (SafeList) ==========

MOD - [2010/02/26 21:39:04 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Vance\Desktop\OTL.exe
MOD - [2010/02/23 11:57:45 | 000,171,552 | ---- | M] (COMODO) -- C:\WINDOWS\system32\guard32.dll
MOD - [2006/09/07 12:18:56 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (KodakCCS)
SRV - File not found [On_Demand | Stopped] -- -- (ACDaemon)
SRV - [2010/02/23 11:57:42 | 000,723,632 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2009/09/22 09:51:44 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/07/21 13:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/21 20:21:18 | 000,248,832 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2009/05/13 15:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/03/17 14:24:06 | 000,161,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2008/11/04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/06 09:19:36 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2008/08/20 21:05:56 | 000,573,440 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2008/08/20 20:05:00 | 000,593,920 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2008/07/18 12:13:20 | 000,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2008/07/18 12:13:20 | 000,044,032 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2008/05/02 01:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/03/25 20:27:36 | 000,135,168 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2006/10/30 09:36:32 | 000,492,608 | ---- | M] (Apple Computer, Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2006/10/26 14:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/03 12:43:02 | 000,068,096 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2006/08/18 15:11:48 | 000,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2005/11/28 11:11:36 | 000,229,376 | ---- | M] (Apple Computer, Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/05/17 13:33:10 | 000,106,557 | ---- | M] () [Auto | Running] -- C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe -- (nSvcIp)
SRV - [2004/05/17 13:32:38 | 000,053,313 | ---- | M] () [Auto | Stopped] -- C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe -- (nSvcLog)
SRV - [2004/02/28 01:30:34 | 000,020,548 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe -- (ForcewareWebInterface)


========== Driver Services (SafeList) ==========

DRV - [2010/02/23 11:57:45 | 000,134,344 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdguard.sys -- (cmdGuard)
DRV - [2010/02/23 11:57:45 | 000,087,104 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2010/02/23 11:57:45 | 000,025,160 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2009/12/07 14:10:42 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/05/11 09:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/03/17 14:24:10 | 002,077,840 | ---- | M] (Microsoft Corporation
) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VX6000Xp.sys -- (VX6000)
DRV - [2009/02/13 11:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/08/20 23:52:40 | 003,299,840 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/07/04 11:22:36 | 000,044,944 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/07/02 14:38:14 | 000,089,600 | R--- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2008/05/20 04:53:00 | 004,800,000 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/04/15 23:05:16 | 000,049,920 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2008/04/15 23:05:16 | 000,021,568 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2008/04/15 23:05:16 | 000,016,496 | R--- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 13:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 02:13:36 | 000,079,120 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2008/02/29 02:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 02:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 02:12:56 | 000,063,120 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2008/02/29 02:12:48 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2008/02/02 10:54:00 | 000,036,864 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2007/11/13 05:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/08 11:54:10 | 000,028,968 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ATITool.sys -- (ATITool)
DRV - [2006/09/19 15:44:04 | 000,015,664 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2006/08/08 12:25:06 | 000,182,528 | R--- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiH0461.sys -- (SaiH0461)
DRV - [2006/08/02 09:45:32 | 000,114,560 | ---- | M] (Mars Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mr7910.sys -- (mr7910)
DRV - [2005/07/26 09:16:44 | 000,079,360 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvatabus.sys -- (nvatabus)
DRV - [2005/07/26 09:16:44 | 000,021,120 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2005/07/26 09:16:38 | 000,033,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/26 09:16:38 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/26 09:15:58 | 002,324,160 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/07 17:18:34 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2004/10/07 09:21:22 | 000,015,360 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2004/08/04 00:29:54 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/04/13 19:20:08 | 000,015,781 | R--- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2004/04/05 16:14:48 | 000,144,384 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Si3114r5.sys -- (Si3114r5)
DRV - [2003/12/05 05:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/10/10 03:23:48 | 000,032,640 | ---- | M] (Cypress Semiconductor) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MXOFX.SYS -- (MXOFX) USB Storage Adapter FX (MXO)
DRV - [2003/07/16 13:58:30 | 000,013,056 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)
DRV - [2003/03/31 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2003/03/13 12:23:28 | 000,019,712 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxofwfp.sys -- (MaxtorFrontPanel1)
DRV - [2003/02/12 11:37:48 | 000,009,600 | ---- | M] (Silicon Image, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\DRIVERS\SiWinAcc.sys -- (SiFilter)
DRV - [2003/01/30 09:08:57 | 000,068,672 | R--- | M] (2Wire, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2002/07/25 21:22:16 | 000,013,626 | ---- | M] (D-Link) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DUBE100.sys -- (DUBE100)
DRV - [2001/11/13 16:53:34 | 000,214,192 | R--- | M] (Mediafour Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MDFSYSNT.SYS -- (MDFSYSNT)
DRV - [2001/10/29 19:19:28 | 000,023,120 | R--- | M] (Mediafour Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\MDPMGRNT.SYS -- (MDPMGRNT)
DRV - [2001/09/22 10:16:42 | 000,004,016 | ---- | M] (SpecoSoft) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\zlportio.sys -- (zlportio)
DRV - [2001/08/17 09:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1202660629-1993962763-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
IE - HKU\S-1-5-21-1202660629-1993962763-725345543-1003\S-1-5-21-1202660629-1993962763-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/02/02 11:03:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/25 20:32:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/25 20:32:50 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/09/08 15:11:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/02/14 19:12:26 | 000,000,000 | ---D | M]

[2009/09/22 09:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Vance\Application Data\Mozilla\Extensions
[2009/09/22 09:54:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Vance\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/02/26 21:38:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Vance\Application Data\Mozilla\Firefox\Profiles\lfjw5c8q.default\extensions
[2010/02/18 11:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Vance\Application Data\Mozilla\Firefox\Profiles\lfjw5c8q.default\extensions\personas@christopher.beard
[2010/02/26 19:14:10 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2004/11/12 22:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2007/03/09 13:23:10 | 000,532,480 | ---- | M] (Move Networks) -- C:\Program Files\Mozilla Firefox\plugins\npmnqmp07030901.dll
[2006/12/11 11:26:46 | 000,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

O1 HOSTS File: ([2003/03/31 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE (Cypress Semiconductor)
O4 - HKLM..\Run: [PRISMSTA.EXE] C:\WINDOWS\PRISMSTA.EXE File not found
O4 - HKLM..\Run: [PRISMSVR.EXE] C:\WINDOWS\System32\PRISMSVR.EXE File not found
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [VX6000] C:\WINDOWS\vVX6000.exe (Microsoft Corporation
)
O4 - HKU\S-1-5-21-1202660629-1993962763-725345543-1003..\Run: [PowerBar] File not found
O4 - HKU\S-1-5-21-1202660629-1993962763-725345543-1003..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\PMB Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
O4 - Startup: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\Startup\SpeedFan (2).lnk = C:\Program Files\SpeedFan\speedfan.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1202660629-1993962763-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Computer, Inc.)
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} http://support.asus.com/common/asusTek_sys_ctrl.cab (asusTek_sysctrl Class)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdat...b?1267131495171 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1267131481562 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_02)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/08/18 15:14:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/07/16 08:51:42 | 000,000,031 | ---- | M] () - M:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/02/26 21:39:02 | 000,549,888 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Vance\Desktop\OTL.exe
[2010/02/26 03:00:58 | 000,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2010/02/25 16:42:49 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/02/25 16:19:20 | 001,435,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\query.dll
[2010/02/25 16:19:12 | 000,604,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmspdmod.dll
[2010/02/25 16:19:00 | 000,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msasn1.dll
[2010/02/25 16:18:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2010/02/25 15:32:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2010/02/25 15:32:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Visual Studio
[2010/02/23 12:30:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Vance\Desktop\gmer
[2010/02/23 11:58:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo
[2010/02/23 11:57:56 | 000,171,552 | ---- | C] (COMODO) -- C:\WINDOWS\System32\guard32.dll
[2010/02/23 11:57:56 | 000,134,344 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2010/02/23 11:57:56 | 000,087,104 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2010/02/23 11:57:56 | 000,025,160 | ---- | C] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2010/02/23 11:57:46 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2010/02/22 20:14:45 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2010/02/22 12:15:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/02/22 11:36:34 | 118,532,848 | ---- | C] (Acronis) -- C:\Documents and Settings\Vance\Desktop\TrueImage2010_s_en.exe
[2010/02/20 12:21:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/02/20 09:49:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Vance\My Documents\My Received Files
[2010/02/19 21:24:09 | 001,840,232 | ---- | C] (Trend Micro) -- C:\Documents and Settings\Vance\Desktop\HousecallLauncher.exe
[2010/02/18 19:28:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/02/12 14:28:27 | 000,000,000 | ---D | C] -- C:\Program Files\VTech
[2010/02/05 13:56:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\048298C9A4D3490B9FF9AB023A9238F3.TMP
[2010/02/04 11:30:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Vance\Application Data\Malwarebytes
[2010/02/04 11:30:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/04 11:30:48 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/04 11:30:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/29 12:40:52 | 000,000,000 | ---D | C] -- C:\Program Files\YouSendIt
[2009/09/08 15:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/09/08 15:10:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/06/26 02:00:47 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2007/04/03 15:25:19 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/02/11 23:55:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/08/18 15:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/26 21:39:28 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Vance\Desktop\51s07ccy.exe
[2010/02/26 21:39:04 | 000,549,888 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Vance\Desktop\OTL.exe
[2010/02/26 21:34:04 | 000,565,098 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/26 21:34:04 | 000,470,456 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/26 21:34:04 | 000,084,510 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/26 21:30:16 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/26 21:29:12 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/26 21:29:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/26 21:29:09 | 000,044,964 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010/02/26 21:29:08 | 3488,657,408 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/26 04:33:54 | 000,430,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/26 04:32:30 | 009,175,040 | ---- | M] () -- C:\Documents and Settings\Vance\ntuser.dat
[2010/02/26 04:32:21 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Vance\ntuser.ini
[2010/02/26 03:50:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/26 03:35:33 | 000,000,742 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/25 20:32:53 | 000,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/02/25 18:24:30 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/25 18:24:30 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/02/25 15:43:46 | 000,098,136 | ---- | M] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/23 22:31:04 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/02/23 12:22:46 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Vance\defogger_reenable
[2010/02/23 12:08:53 | 000,000,808 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk
[2010/02/23 11:57:45 | 000,171,552 | ---- | M] (COMODO) -- C:\WINDOWS\System32\guard32.dll
[2010/02/23 11:57:45 | 000,134,344 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdguard.sys
[2010/02/23 11:57:45 | 000,087,104 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\inspect.sys
[2010/02/23 11:57:45 | 000,025,160 | ---- | M] (COMODO) -- C:\WINDOWS\System32\drivers\cmdhlp.sys
[2010/02/23 11:48:32 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\Vance\Desktop\dds.scr
[2010/02/23 11:48:10 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Vance\Desktop\Defogger.exe
[2010/02/22 12:52:10 | 000,035,840 | ---- | M] () -- C:\Documents and Settings\Vance\My Documents\Processes.xls
[2010/02/22 12:00:59 | 118,532,848 | ---- | M] (Acronis) -- C:\Documents and Settings\Vance\Desktop\TrueImage2010_s_en.exe
[2010/02/20 14:33:35 | 002,096,656 | -H-- | M] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\IconCache.db
[2010/02/19 21:41:32 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Vance\Desktop\WORD 2007.lnk
[2010/02/19 21:24:42 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\housecall.guid.cache
[2010/02/19 21:24:28 | 001,840,232 | ---- | M] (Trend Micro) -- C:\Documents and Settings\Vance\Desktop\HousecallLauncher.exe
[2010/02/14 19:56:44 | 012,780,544 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/02/14 19:56:42 | 025,332,736 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/02/14 19:24:28 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/12 14:28:29 | 000,000,695 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VTech Kidizoom Plus Photo Editor.lnk
[2010/02/06 21:58:07 | 000,000,814 | ---- | M] () -- C:\WINDOWS\eReg.dat
[2010/02/04 11:30:52 | 000,000,710 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/04 10:28:22 | 039,834,221 | ---- | M] () -- C:\Documents and Settings\Vance\Desktop\Potty_Dance_Video.zip
[2010/02/02 11:03:44 | 000,023,110 | ---- | M] () -- C:\WINDOWS\hpqins15.dat
[2010/01/29 12:40:53 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\YouSendIt.lnk
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/26 21:39:27 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Vance\Desktop\51s07ccy.exe
[2010/02/23 12:22:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Vance\defogger_reenable
[2010/02/23 12:08:53 | 000,000,808 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO Internet Security.lnk
[2010/02/23 11:48:19 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\Vance\Desktop\dds.scr
[2010/02/23 11:48:09 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Vance\Desktop\Defogger.exe
[2010/02/20 14:34:46 | 3488,657,408 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/19 22:04:10 | 000,035,840 | ---- | C] () -- C:\Documents and Settings\Vance\My Documents\Processes.xls
[2010/02/19 21:24:42 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\housecall.guid.cache
[2010/02/12 14:28:29 | 000,000,695 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VTech Kidizoom Plus Photo Editor.lnk
[2010/02/04 11:30:52 | 000,000,710 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/04 10:19:05 | 039,834,221 | ---- | C] () -- C:\Documents and Settings\Vance\Desktop\Potty_Dance_Video.zip
[2010/02/02 11:02:46 | 000,023,110 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2010/01/29 12:40:53 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\YouSendIt.lnk
[2010/01/04 23:24:54 | 000,203,600 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/01 11:12:05 | 000,015,497 | ---- | C] () -- C:\WINDOWS\VX6KStd.ini
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/08/25 21:25:04 | 001,277,680 | ---- | C] () -- C:\Program Files\couponprinter.exe
[2009/05/12 15:10:19 | 000,003,942 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/03/15 13:16:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2009/03/09 13:45:45 | 000,035,871 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/03/09 13:45:25 | 000,035,511 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/03/09 13:45:25 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/03/09 03:09:37 | 000,008,192 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/02/21 22:58:03 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2008/06/25 10:04:50 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\fusioncache.dat
[2008/03/02 21:17:30 | 001,126,400 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461.Dll
[2008/03/02 21:17:30 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_10.dll
[2008/03/02 21:17:30 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0C.dll
[2008/03/02 21:17:30 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0A.dll
[2008/03/02 21:17:30 | 000,007,680 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_07.dll
[2008/03/02 21:17:30 | 000,006,656 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_09.dll
[2008/03/02 21:17:30 | 000,006,656 | R--- | C] () -- C:\WINDOWS\System32\SaiC0461_0402.dll
[2007/08/08 11:54:10 | 000,028,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATITool.sys
[2007/05/30 15:43:49 | 000,000,059 | ---- | C] () -- C:\WINDOWS\sview.ini
[2007/05/13 12:17:55 | 000,000,036 | ---- | C] () -- C:\WINDOWS\marscam.ini
[2007/03/22 14:37:47 | 000,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/12/06 07:24:07 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Vance.ini
[2006/09/29 17:28:05 | 000,000,248 | ---- | C] () -- C:\WINDOWS\RomeTW.ini
[2006/09/25 09:59:44 | 000,000,050 | ---- | C] () -- C:\WINDOWS\VistaEmail.ini
[2006/09/24 10:30:55 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/09/24 07:45:35 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2006/08/29 22:53:57 | 000,006,925 | R--- | C] () -- C:\WINDOWS\System32\LANGMONI.DLL
[2006/08/29 22:05:53 | 000,032,256 | ---- | C] () -- C:\Documents and Settings\Vance\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/08/29 19:02:43 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2006/08/26 11:45:04 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/07/30 12:36:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1996/04/03 14:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 156 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BDBBA690
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F878CACA
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:56DA0F9E
< End of report >

Attached Files


#4 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 27 February 2010 - 12:12 PM

gmer first third:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-27 11:41:20
Windows 5.1.2600 Service Pack 3
Running: 51s07ccy.exe; Driver: C:\DOCUME~1\Vance\LOCALS~1\Temp\kxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAC86FBDA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xAC86F1B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xAC86F840]
SSDT BA6FB3CE ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xAC86F09A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xAC87106A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAC871302]
SSDT BA6FB3C4 ZwCreateThread
SSDT BA6FB3D3 ZwDeleteKey
SSDT BA6FB3DD ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xAC86EA92]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xAC870CEC]
SSDT BA6FB3E2 ZwLoadKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xAC86F43C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xAC86FA1C]
SSDT BA6FB3B0 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xAC86F6CC]
SSDT BA6FB3B5 ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xAC870720]
SSDT BA6FB3EC ZwReplaceKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAC871648]
SSDT BA6FB3E7 ZwRestoreKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xAC870A88]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xAC86FDC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xAC870E9A]
SSDT BA6FB3D8 ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xAC86F3D6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xAC86F5C0]
SSDT BA6FB3BF ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xAC86EE32]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes JMP CD96AC86
.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xB9140000, 0x1A3F84, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\System32\svchost.exe[240] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 00FF1102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\Explorer.EXE[560] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018628F5
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01862781
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01862873
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!recv 71AB676F 5 Bytes JMP 018627B9
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018627F1
.text C:\WINDOWS\Explorer.EXE[560] WS2_32.dll!WSASocketA 71AB8B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] shell32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] shell32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] shell32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\services.exe[856] shell32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] WS2_32.dll!WSASocketA 71AB8B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\lsass.exe[868] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\Ati2evxx.exe[1060] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1080] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010628F5
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01062781
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01062873
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010627B9
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010627F1
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1132] WS2_32.dll!WSASocketA 71AB8B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\system32\svchost.exe[1148] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\MXOALDR.EXE[1204] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] KERNEL32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] shell32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] shell32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] shell32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] shell32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WININET.dll!InternetConnectA 3D94B0D2 5 Bytes JMP 10001E30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WININET.dll!InternetConnectW 3D94C2C0 5 Bytes JMP 10001E50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 039028F5
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 10001E90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03902781
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03902873
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!recv 71AB676F 5 Bytes JMP 039027B9
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 039027F1
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1212] WS2_32.dll!WSASocketA 71AB8B6A 5 Bytes JMP 10001E70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 10001950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100082B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100018D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 10001890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 100019B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 10001910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 10001A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 10001970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 10001930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 100019D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 10001990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 100018B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 10001A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10004550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100081E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 100019F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 10001B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 10001D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 10001AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 10001AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10001D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10001A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10001A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 10001A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 10001D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 10001CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 10001D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 10001B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 10001C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 10001C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 10001B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [7E, 93] {JLE 0xffffffffffffff95}
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 10001BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 10001B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 10001B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 10001CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 10001CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 10001C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 10001BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 10001C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 10001C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 10001BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 10001D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 10001AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 10001480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 10001640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 10001000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 10001250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10007BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10007D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10007E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 10001E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 10001DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\WINDOWS\RTHDCPL.EXE[1220] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 10001DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00391950 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 003982B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 003918D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00391890 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003919B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtDeleteFile 7C90D23E 5 Bytes JMP 00391910 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtFreeVirtualMemory 7C90D38E 5 Bytes JMP 00391A30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtLoadDriver 7C90D46E 5 Bytes JMP 00391970 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 003918F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00391930 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 003919D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtUnloadDriver 7C90DEBE 5 Bytes JMP 00391990 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 003918B0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!RtlAllocateHeap 7C9100C4 5 Bytes JMP 00391A10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00394550 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 003981E0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ntdll.dll!LdrGetProcedureAddress 7C917EA8 5 Bytes JMP 003919F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00391B30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00391D90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 00391AF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00391AD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00391D30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00391A70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00391A50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00391A90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00391D50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!GetModuleHandleA 7C80B741 5 Bytes JMP 00391CF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!GetModuleHandleW 7C80E4DD 5 Bytes JMP 00391D10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00391B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!MoveFileWithProgressW 7C81F72E 5 Bytes JMP 00391C90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00391C10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!OpenFile 7C821982 2 Bytes JMP 00391B10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!OpenFile + 3 7C821985 2 Bytes [B7, 83] {MOV BH, 0x83}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CopyFileExW 7C827B32 7 Bytes JMP 00391BD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00391B70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00391B90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 00391CB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 00391CD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 00391C50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00391BF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!MoveFileWithProgressA 7C835EDE 5 Bytes JMP 00391C70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!MoveFileExA 7C85E49B 5 Bytes JMP 00391C30 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!CopyFileExA 7C85F39C 5 Bytes JMP 00391BB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00391D70 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] kernel32.dll!LoadModule 7C86261E 5 Bytes JMP 00391AB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00397E80 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ADVAPI32.dll!OpenServiceW 77DE6FFD 7 Bytes JMP 00391480 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ADVAPI32.dll!OpenServiceA 77DF4C66 7 Bytes JMP 00391640 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ADVAPI32.dll!CreateServiceA 77E37211 7 Bytes JMP 00391000 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] ADVAPI32.dll!CreateServiceW 77E373A9 7 Bytes JMP 00391250 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] SHELL32.dll!ShellExecuteExW 7CA0996B 5 Bytes JMP 00391E10 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] SHELL32.dll!ShellExecuteEx 7CA40EB5 5 Bytes JMP 00391DF0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] SHELL32.dll!ShellExecuteA 7CA411E0 5 Bytes JMP 00391DB0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1228] SHELL32.dll!ShellExecuteW 7CAB5D48 5 Bytes JMP 00391DD0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

#5 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 27 February 2010 - 12:39 PM

Elise,

My gmer log is 537kb and my computer won't stay unfrozen long enough for me to break it up into thirds as halves were still too long. I zipped it and attached it. If you have a different or better way, please advise.

Attached Files

  • Attached File  gmer.zip   24.11KB   2 downloads

#6 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 27 February 2010 - 12:40 PM

whoops - I see that gmer first third did go thru - I had to crash restart and I just assumed it didn't. I'll just let it go at the attached zip file unless you request otherwise.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,604 posts
  • ONLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:08:42 PM

Posted 27 February 2010 - 01:52 PM

Hello vsquared2,

No worries, the GMER log is just fine this way, its a bit long due to Comodo smile.gif

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif

#8 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 01 March 2010 - 10:40 AM

Wow Elise, you were super fast in responding but I had to go to work. Here is Combo Fix Log:
ComboFix 10-02-28.04 - Vance 03/01/2010 10:20:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2548 [GMT -5:00]
Running from: c:\documents and settings\Vance\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\bszip.dll
M:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://armmf.adobe.com
.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 )))))))))))))))))))))))))))))))
.

2010-02-27 14:27 . 2010-02-27 14:27 -------- d-----w- c:\windows\system32\KB905474
2010-02-27 14:27 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-02-27 14:27 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-02-25 21:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-25 21:19 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-02-25 21:19 . 2009-04-02 03:02 604160 -c----w- c:\windows\system32\dllcache\wmspdmod.dll
2010-02-25 21:19 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-02-25 21:18 . 2010-02-27 14:26 -------- d--h--w- c:\windows\$hf_mig$
2010-02-23 16:58 . 2010-02-23 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2010-02-23 16:57 . 2010-02-23 16:57 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-02-23 16:57 . 2010-02-23 16:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-23 16:57 . 2010-02-23 16:57 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-23 16:57 . 2010-02-23 16:57 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-23 16:57 . 2010-02-23 16:57 -------- d-----w- c:\program files\COMODO
2010-02-23 01:14 . 2010-02-23 01:14 -------- d-----w- c:\program files\VS Revo Group
2010-02-20 02:56 . 2010-02-20 02:56 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-12 19:28 . 2010-02-12 19:28 -------- d-----w- c:\program files\VTech
2010-02-05 18:56 . 2010-02-05 18:56 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2010-02-04 16:30 . 2010-02-04 16:30 -------- d-----w- c:\documents and settings\Vance\Application Data\Malwarebytes
2010-02-04 16:30 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 16:30 . 2010-02-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 16:30 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 16:02 . 2010-02-02 16:03 23110 ----a-w- c:\windows\hpqins15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 15:26 . 2010-01-01 17:12 -------- d-----w- c:\documents and settings\Vance\Application Data\Skype
2010-03-01 15:03 . 2006-08-26 13:47 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-01 13:07 . 2010-01-01 17:36 -------- d-----w- c:\documents and settings\Vance\Application Data\skypePM
2010-02-26 08:34 . 2009-08-06 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 23:13 . 2008-02-20 01:57 -------- d-----w- c:\program files\Steam
2010-02-25 22:49 . 2006-10-07 04:52 -------- d-----w- c:\program files\Bonjour
2010-02-25 21:01 . 2009-06-25 17:17 -------- d-----w- c:\documents and settings\Vance\Application Data\HPAppData
2010-02-25 20:43 . 2006-10-26 18:11 98136 ----a-w- c:\documents and settings\Vance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 20:32 . 2006-08-26 15:09 -------- d-----w- c:\program files\Microsoft Works
2010-02-20 19:32 . 2009-04-10 18:25 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-20 17:09 . 2009-04-10 18:26 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-20 02:26 . 2009-11-15 15:44 79488 ----a-w- c:\documents and settings\Vance\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 00:45 . 2009-05-05 14:28 -------- d-----w- c:\program files\PrimoDVD (English)
2010-02-19 00:28 . 2009-09-08 20:10 -------- d-----w- c:\program files\Google
2010-02-18 23:30 . 2009-08-26 02:25 -------- d-----w- c:\program files\Coupons
2010-02-15 00:12 . 2006-09-01 16:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-12 19:28 . 2006-08-18 20:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 07:08 . 2009-08-26 12:34 -------- d-----w- c:\documents and settings\Vance\Application Data\HpUpdate
2010-02-07 02:58 . 2009-12-25 17:45 814 ----a-w- c:\windows\eReg.dat
2010-02-05 19:02 . 2009-12-25 17:40 -------- d-----w- c:\program files\EA Games
2010-01-29 18:53 . 2009-04-15 18:52 -------- d-----w- c:\documents and settings\Vance\Application Data\YouSendIt
2010-01-29 17:40 . 2010-01-29 17:40 -------- d-----w- c:\program files\YouSendIt
2010-01-29 17:40 . 2009-10-20 19:24 3309072 ----a-w- c:\documents and settings\Vance\Application Data\YouSendIt\Downloads\YouSendIt_Express.exe
2010-01-26 00:16 . 2006-12-27 14:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 22:08 . 2010-01-25 01:12 -------- d-----w- c:\program files\Nick Jr. Arcade
2010-01-12 15:45 . 2009-05-12 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-12 15:43 . 2010-01-12 15:36 77374 ----a-w- c:\windows\hpqins05.dat
2010-01-12 15:41 . 2010-01-05 04:24 203600 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-12 15:38 . 2010-01-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-08 18:33 . 2008-01-25 20:25 -------- d-----w- c:\documents and settings\Vance\Application Data\FileZilla
2010-01-05 10:00 . 2006-06-23 16:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 17:36 . 2010-01-01 17:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-01-01 16:52 . 2010-01-01 16:51 -------- d-----r- c:\program files\Skype
2010-01-01 16:51 . 2010-01-01 16:51 -------- d-----w- c:\program files\Common Files\Skype
2010-01-01 16:51 . 2010-01-01 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-01-01 16:12 . 2010-01-01 16:11 -------- d-----w- c:\program files\Microsoft LifeCam
2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 03:59 . 2007-02-03 00:10 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-16 18:43 . 2006-08-18 20:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2003-03-31 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 19:10 . 2009-10-19 18:08 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-08-26 02:25 . 2009-08-26 02:25 1277680 ----a-w- c:\program files\couponprinter.exe
2004-03-11 17:27 . 2006-08-30 00:02 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2gdr\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3gdr\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3qfe\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2qfe\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll

c:\windows\System32\es.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 339968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"MXOBG"="c:\windows\MXOALDR.EXE" [2009-03-10 94208]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"VX6000"="c:\windows\vVX6000.exe" [2009-03-17 713744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-23 1800464]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Vance^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\Vance\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Vance^Start Menu^Programs^Startup^SpeedFan (2).lnk]
path=c:\documents and settings\Vance\Start Menu\Programs\Startup\SpeedFan (2).lnk
backup=c:\windows\pss\SpeedFan (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 13:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 07:12 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2004-12-22 12:21 823296 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
2001-11-13 15:38 57344 ----a-r- c:\program files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2004-05-04 14:22 839770 ------w- c:\program files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-20 01:08 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-22 14:51 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-08 20:11 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_02\bin\jusched.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\EA Games\\Battlefield Vietnam\\bfvietnam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [10/29/2001 7:19 PM 23120]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/23/2010 11:57 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/23/2010 11:57 AM 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2009 1:08 PM 108289]
R3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [3/2/2008 9:17 PM 182528]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/1/2010 11:12 AM 2077840]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [7/8/2006 12:31 PM 13626]
S3 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [11/13/2001 4:53 PM 214192]
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;c:\windows\system32\zlportio.sys [2/22/2009 9:04 AM 4016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-27 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Vance\Application Data\Mozilla\Firefox\Profiles\lfjw5c8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
HKCU-Run-PowerBar - (no file)
HKLM-Run-PRISMSTA.EXE - c:\windows\PRISMSTA.EXE
HKLM-Run-PRISMSVR.EXE - c:\windows\system32\PRISMSVR.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?????s?w?t?w??@?`?@?p???????????????*r?w?r?w????8??????????????????????????????? ???????8???????|????H?w??????????????@????????w???w????j??w%??w??????????????@???@?????????????????????(?*??????????????n?wE??w??????????@?????????>!@???@???????@???@????????????s

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8b344c50
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\guard32.dll
.
Completion time: 2010-03-01 10:27:15
ComboFix-quarantined-files.txt 2010-03-01 15:27

Pre-Run: 34,928,562,176 bytes free
Post-Run: 35,589,840,896 bytes free

- - End Of File - - D8367A346A60218D1B70DA2F2FA93BCE

Thanks smile.gif

#9 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 01 March 2010 - 10:44 AM

Oh, one more thing, when I ran ComboFix it said it couldn't connect to internet so I didn't have the option to install Microsoft Recovery Console. Weird because I didn't disable my connection, my connection light was on and I was able to log on immediately after ComboFix finished.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,604 posts
  • ONLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:08:42 PM

Posted 01 March 2010 - 12:34 PM

Hello, please see if the Recovery Console is installed this time.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
MBR::

FCopy::
c:\windows\ServicePackFiles\i386\es.dll | c:\windows\System32\es.dll

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif

#11 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 03 March 2010 - 02:53 PM

I haven't been ignoring - just trying to find time to do this. I followed your instructions - several times and re-downloaded ComboFix from the other location but every time I run it, I keep getting an Error message that read:
"You do not appear to be connected to the internet. Kindly connect before clicking 'OK' " After clicking OK it then runs and produces a log, but apparently not the right one. I obviously am connected to the internet so I have no idea why I keep getting this message. dry.gif

Also, when I click "Exit" on Comodo firewall (as the disabling instructions say to do), my Windows Security Alert shows that it is still active.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,604 posts
  • ONLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:08:42 PM

Posted 03 March 2010 - 03:19 PM

Okay, lets first install the Recovery Console (see instructions below). Afterwards, run the CFScript as instructed. No need to post the log after the Recovery Console is installed, only post the log that results from the CFScript.


With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools (if comodo causes problems, just ignore it).



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.





  • At the next prompt, click 'No' to exit ComboFix.

  • Now proceed with the CFScript.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif

#13 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 03 March 2010 - 03:54 PM

Yay - it worked. Here is ComboFix.txt log:
ComboFix 10-02-28.04 - Vance 03/03/2010 15:36:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2655 [GMT -5:00]
Running from: c:\documents and settings\Vance\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Vance\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-02-27 14:27 . 2010-02-27 14:27 -------- d-----w- c:\windows\system32\KB905474
2010-02-27 14:27 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-02-27 14:27 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-02-25 21:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-25 21:19 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-02-25 21:19 . 2009-04-02 03:02 604160 -c----w- c:\windows\system32\dllcache\wmspdmod.dll
2010-02-25 21:19 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-02-25 21:18 . 2010-02-27 14:26 -------- d--h--w- c:\windows\$hf_mig$
2010-02-23 16:58 . 2010-02-23 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2010-02-23 16:57 . 2010-02-23 16:57 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-02-23 16:57 . 2010-02-23 16:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-23 16:57 . 2010-02-23 16:57 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-23 16:57 . 2010-02-23 16:57 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-23 16:57 . 2010-02-23 16:57 -------- d-----w- c:\program files\COMODO
2010-02-23 01:14 . 2010-02-23 01:14 -------- d-----w- c:\program files\VS Revo Group
2010-02-20 02:56 . 2010-02-20 02:56 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-12 19:28 . 2010-02-12 19:28 -------- d-----w- c:\program files\VTech
2010-02-05 18:56 . 2010-02-05 18:56 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2010-02-04 16:30 . 2010-02-04 16:30 -------- d-----w- c:\documents and settings\Vance\Application Data\Malwarebytes
2010-02-04 16:30 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 16:30 . 2010-02-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 16:30 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 16:02 . 2010-02-02 16:03 23110 ----a-w- c:\windows\hpqins15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 20:23 . 2006-08-26 13:47 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-03 19:38 . 2010-01-01 17:12 -------- d-----w- c:\documents and settings\Vance\Application Data\Skype
2010-03-03 13:05 . 2010-01-01 17:36 -------- d-----w- c:\documents and settings\Vance\Application Data\skypePM
2010-02-26 08:34 . 2009-08-06 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 23:13 . 2008-02-20 01:57 -------- d-----w- c:\program files\Steam
2010-02-25 22:49 . 2006-10-07 04:52 -------- d-----w- c:\program files\Bonjour
2010-02-25 21:01 . 2009-06-25 17:17 -------- d-----w- c:\documents and settings\Vance\Application Data\HPAppData
2010-02-25 20:43 . 2006-10-26 18:11 98136 ----a-w- c:\documents and settings\Vance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 20:32 . 2006-08-26 15:09 -------- d-----w- c:\program files\Microsoft Works
2010-02-20 19:32 . 2009-04-10 18:25 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-20 17:09 . 2009-04-10 18:26 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-20 02:26 . 2009-11-15 15:44 79488 ----a-w- c:\documents and settings\Vance\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 00:45 . 2009-05-05 14:28 -------- d-----w- c:\program files\PrimoDVD (English)
2010-02-19 00:28 . 2009-09-08 20:10 -------- d-----w- c:\program files\Google
2010-02-18 23:30 . 2009-08-26 02:25 -------- d-----w- c:\program files\Coupons
2010-02-15 00:12 . 2006-09-01 16:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-12 19:28 . 2006-08-18 20:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 07:08 . 2009-08-26 12:34 -------- d-----w- c:\documents and settings\Vance\Application Data\HpUpdate
2010-02-07 02:58 . 2009-12-25 17:45 814 ----a-w- c:\windows\eReg.dat
2010-02-05 19:02 . 2009-12-25 17:40 -------- d-----w- c:\program files\EA Games
2010-01-29 18:53 . 2009-04-15 18:52 -------- d-----w- c:\documents and settings\Vance\Application Data\YouSendIt
2010-01-29 17:40 . 2010-01-29 17:40 -------- d-----w- c:\program files\YouSendIt
2010-01-29 17:40 . 2009-10-20 19:24 3309072 ----a-w- c:\documents and settings\Vance\Application Data\YouSendIt\Downloads\YouSendIt_Express.exe
2010-01-26 00:16 . 2006-12-27 14:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 22:08 . 2010-01-25 01:12 -------- d-----w- c:\program files\Nick Jr. Arcade
2010-01-12 15:45 . 2009-05-12 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-12 15:43 . 2010-01-12 15:36 77374 ----a-w- c:\windows\hpqins05.dat
2010-01-12 15:41 . 2010-01-05 04:24 203600 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-12 15:38 . 2010-01-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-08 18:33 . 2008-01-25 20:25 -------- d-----w- c:\documents and settings\Vance\Application Data\FileZilla
2010-01-05 10:00 . 2006-06-23 16:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 17:36 . 2010-01-01 17:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 03:59 . 2007-02-03 00:10 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-16 18:43 . 2006-08-18 20:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2003-03-31 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 19:10 . 2009-10-19 18:08 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-08-26 02:25 . 2009-08-26 02:25 1277680 ----a-w- c:\program files\couponprinter.exe
2004-03-11 17:27 . 2006-08-30 00:02 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

------- Sigcheck -------

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2gdr\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3gdr\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3qfe\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2qfe\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll

c:\windows\System32\es.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2010-03-01_15.26.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 04:45 . 2010-03-03 04:45 16384 c:\windows\Temp\Perflib_Perfdata_c90.dat
+ 2003-03-31 12:00 . 2010-03-03 04:50 84510 c:\windows\system32\perfc009.dat
- 2003-03-31 12:00 . 2010-02-27 17:22 84510 c:\windows\system32\perfc009.dat
+ 2003-03-31 12:00 . 2010-03-03 04:50 470456 c:\windows\system32\perfh009.dat
- 2003-03-31 12:00 . 2010-02-27 17:22 470456 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 339968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"MXOBG"="c:\windows\MXOALDR.EXE" [2009-03-10 94208]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"VX6000"="c:\windows\vVX6000.exe" [2009-03-17 713744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-23 1800464]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Vance^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\Vance\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Vance^Start Menu^Programs^Startup^SpeedFan (2).lnk]
path=c:\documents and settings\Vance\Start Menu\Programs\Startup\SpeedFan (2).lnk
backup=c:\windows\pss\SpeedFan (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 13:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 07:12 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2004-12-22 12:21 823296 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
2001-11-13 15:38 57344 ----a-r- c:\program files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2004-05-04 14:22 839770 ------w- c:\program files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-20 01:08 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-22 14:51 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-08 20:11 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_02\bin\jusched.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\EA Games\\Battlefield Vietnam\\bfvietnam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"5756:TCP"= 5756:TCP:Services

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [10/29/2001 7:19 PM 23120]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/23/2010 11:57 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/23/2010 11:57 AM 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2009 1:08 PM 108289]
R3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [3/2/2008 9:17 PM 182528]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/1/2010 11:12 AM 2077840]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [7/8/2006 12:31 PM 13626]
S3 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [11/13/2001 4:53 PM 214192]
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;c:\windows\system32\zlportio.sys [2/22/2009 9:04 AM 4016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-27 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Vance\Application Data\Mozilla\Firefox\Profiles\lfjw5c8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 15:40
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A163DE8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8a163de8
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2076)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-03 15:42:49
ComboFix-quarantined-files.txt 2010-03-03 20:42
ComboFix2.txt 2010-03-01 15:27

Pre-Run: 35,447,656,448 bytes free
Post-Run: 35,399,041,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - B3D5B4EE8A021469AC3982F655E37ADB

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,604 posts
  • ONLINE
    •  
  • Gender:Female
  • Location:Romania
  • Local time:08:42 PM

Posted 03 March 2010 - 04:08 PM

Okay, well done smile.gif

Now please run the CFScript as instructed in post #10

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif

#15 vsquared2

vsquared2
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
    •  
  • Local time:01:42 PM

Posted 03 March 2010 - 05:09 PM

Wow - that took so long - I thought it had frozen but it worked!!!

Here is ComboFix.txt:

ComboFix 10-02-28.04 - Vance 03/03/2010 16:33:36.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2672 [GMT -5:00]
Running from: c:\documents and settings\Vance\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Vance\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
original MBR restored successfully !
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\es.dll --> c:\windows\System32\es.dll
.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-03 21:29 . 2010-03-03 21:29 -------- d-----w- c:\windows\LastGood.Tmp
2010-03-03 21:20 . 2008-04-14 00:11 246272 -c--a-w- c:\windows\system32\dllcache\es.dll
2010-03-03 21:20 . 2008-04-14 00:11 246272 ----a-w- c:\windows\system32\es.dll
2010-02-27 14:27 . 2010-02-27 14:27 -------- d-----w- c:\windows\system32\KB905474
2010-02-27 14:27 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-02-27 14:27 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-02-25 21:42 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-25 21:19 . 2009-07-17 16:22 1435648 -c----w- c:\windows\system32\dllcache\query.dll
2010-02-25 21:19 . 2009-04-02 03:02 604160 -c----w- c:\windows\system32\dllcache\wmspdmod.dll
2010-02-25 21:19 . 2009-09-04 21:03 58880 -c----w- c:\windows\system32\dllcache\msasn1.dll
2010-02-25 21:18 . 2010-03-03 21:29 -------- d--h--w- c:\windows\$hf_mig$
2010-02-23 16:58 . 2010-02-23 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2010-02-23 16:57 . 2010-02-23 16:57 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-02-23 16:57 . 2010-02-23 16:57 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-02-23 16:57 . 2010-02-23 16:57 171552 ----a-w- c:\windows\system32\guard32.dll
2010-02-23 16:57 . 2010-02-23 16:57 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-02-23 16:57 . 2010-02-23 16:57 -------- d-----w- c:\program files\COMODO
2010-02-23 01:14 . 2010-02-23 01:14 -------- d-----w- c:\program files\VS Revo Group
2010-02-20 02:56 . 2010-02-20 02:56 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-12 19:28 . 2010-02-12 19:28 -------- d-----w- c:\program files\VTech
2010-02-05 18:56 . 2010-02-05 18:56 -------- d-----w- c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP
2010-02-04 16:30 . 2010-02-04 16:30 -------- d-----w- c:\documents and settings\Vance\Application Data\Malwarebytes
2010-02-04 16:30 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 16:30 . 2010-02-04 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 16:30 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 16:02 . 2010-02-02 16:03 23110 ----a-w- c:\windows\hpqins15.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 21:57 . 2010-01-01 17:12 -------- d-----w- c:\documents and settings\Vance\Application Data\Skype
2010-03-03 21:25 . 2010-01-01 17:36 -------- d-----w- c:\documents and settings\Vance\Application Data\skypePM
2010-03-03 20:55 . 2006-08-26 13:47 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-02-26 08:34 . 2009-08-06 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-25 23:13 . 2008-02-20 01:57 -------- d-----w- c:\program files\Steam
2010-02-25 22:49 . 2006-10-07 04:52 -------- d-----w- c:\program files\Bonjour
2010-02-25 21:01 . 2009-06-25 17:17 -------- d-----w- c:\documents and settings\Vance\Application Data\HPAppData
2010-02-25 20:43 . 2006-10-26 18:11 98136 ----a-w- c:\documents and settings\Vance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-25 20:32 . 2006-08-26 15:09 -------- d-----w- c:\program files\Microsoft Works
2010-02-20 19:32 . 2009-04-10 18:25 -------- d-----w- c:\program files\Common Files\ArcSoft
2010-02-20 17:09 . 2009-04-10 18:26 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-02-20 02:26 . 2009-11-15 15:44 79488 ----a-w- c:\documents and settings\Vance\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-20 00:45 . 2009-05-05 14:28 -------- d-----w- c:\program files\PrimoDVD (English)
2010-02-19 00:28 . 2009-09-08 20:10 -------- d-----w- c:\program files\Google
2010-02-18 23:30 . 2009-08-26 02:25 -------- d-----w- c:\program files\Coupons
2010-02-15 00:12 . 2006-09-01 16:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-12 19:28 . 2006-08-18 20:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 07:08 . 2009-08-26 12:34 -------- d-----w- c:\documents and settings\Vance\Application Data\HpUpdate
2010-02-07 02:58 . 2009-12-25 17:45 814 ----a-w- c:\windows\eReg.dat
2010-02-05 19:02 . 2009-12-25 17:40 -------- d-----w- c:\program files\EA Games
2010-01-29 18:53 . 2009-04-15 18:52 -------- d-----w- c:\documents and settings\Vance\Application Data\YouSendIt
2010-01-29 17:40 . 2010-01-29 17:40 -------- d-----w- c:\program files\YouSendIt
2010-01-29 17:40 . 2009-10-20 19:24 3309072 ----a-w- c:\documents and settings\Vance\Application Data\YouSendIt\Downloads\YouSendIt_Express.exe
2010-01-26 00:16 . 2006-12-27 14:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-25 22:08 . 2010-01-25 01:12 -------- d-----w- c:\program files\Nick Jr. Arcade
2010-01-12 15:45 . 2009-05-12 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-12 15:43 . 2010-01-12 15:36 77374 ----a-w- c:\windows\hpqins05.dat
2010-01-12 15:41 . 2010-01-05 04:24 203600 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-12 15:38 . 2010-01-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-08 18:33 . 2008-01-25 20:25 -------- d-----w- c:\documents and settings\Vance\Application Data\FileZilla
2010-01-05 10:00 . 2006-06-23 16:33 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 17:36 . 2010-01-01 17:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-31 16:50 . 2003-03-31 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 03:59 . 2007-02-03 00:10 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-16 18:43 . 2006-08-18 20:11 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2003-03-31 12:00 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-07 19:10 . 2009-10-19 18:08 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-04 18:22 . 2003-03-31 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-08-26 02:25 . 2009-08-26 02:25 1277680 ----a-w- c:\program files\couponprinter.exe
2004-03-11 17:27 . 2006-08-30 00:02 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-03-01_15.26.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 21:56 . 2010-03-03 21:56 16384 c:\windows\Temp\Perflib_Perfdata_8bc.dat
+ 2010-03-03 21:54 . 2010-03-03 21:54 16384 c:\windows\Temp\Perflib_Perfdata_60c.dat
+ 2003-03-31 12:00 . 2010-03-03 21:29 84510 c:\windows\system32\perfc009.dat
- 2003-03-31 12:00 . 2010-02-27 17:22 84510 c:\windows\system32\perfc009.dat
- 2008-09-09 21:26 . 2007-11-30 12:39 26488 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\update\spcustom.dll
- 2008-09-09 21:26 . 2007-11-30 12:39 17272 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\spmsg.dll
+ 2003-03-31 12:00 . 2010-03-03 21:29 470456 c:\windows\system32\perfh009.dat
- 2003-03-31 12:00 . 2010-02-27 17:22 470456 c:\windows\system32\perfh009.dat
- 2008-09-09 21:26 . 2007-11-30 12:39 382840 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\update\updspapi.dll
- 2008-09-09 21:26 . 2007-11-30 12:39 755576 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\update\update.exe
- 2008-09-09 21:26 . 2007-11-30 12:39 231288 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\spuninst.exe
- 2008-09-09 21:26 . 2008-07-07 20:23 253952 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3qfe\es.dll
- 2008-09-09 21:26 . 2008-07-07 20:26 253952 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3gdr\es.dll
- 2008-09-09 21:26 . 2008-07-07 20:06 253952 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2qfe\es.dll
- 2008-09-09 21:26 . 2008-07-07 20:32 253952 c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2gdr\es.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 339968]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"MXOBG"="c:\windows\MXOALDR.EXE" [2009-03-10 94208]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
"VX6000"="c:\windows\vVX6000.exe" [2009-03-17 713744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-02-23 1800464]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Vance^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\Vance\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Vance^Start Menu^Programs^Startup^SpeedFan (2).lnk]
path=c:\documents and settings\Vance\Start Menu\Programs\Startup\SpeedFan (2).lnk
backup=c:\windows\pss\SpeedFan (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-03-26 01:27 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-03-13 13:34 81920 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 14:36 256576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 07:12 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2004-12-22 12:21 823296 ----a-w- c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
2001-11-13 15:38 57344 ----a-r- c:\program files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2004-05-04 14:22 839770 ------w- c:\program files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-10-25 23:58 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-10-31 23:42 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-02-20 01:08 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-22 14:51 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-08 20:11 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"=c:\program files\Java\j2re1.4.2_02\bin\jusched.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\EA Games\\Battlefield Vietnam\\bfvietnam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"5756:TCP"= 5756:TCP:Services

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [10/29/2001 7:19 PM 23120]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2/23/2010 11:57 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2/23/2010 11:57 AM 25160]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/19/2009 1:08 PM 108289]
R3 SaiH0461;SaiH0461;c:\windows\system32\drivers\SaiH0461.sys [3/2/2008 9:17 PM 182528]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [1/1/2010 11:12 AM 2077840]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [7/8/2006 12:31 PM 13626]
S3 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [11/13/2001 4:53 PM 214192]
S3 zlportio;ZLPORTIO - Allow user access to I/O ports;c:\windows\system32\zlportio.sys [2/22/2009 9:04 AM 4016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-02-27 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Vance\Application Data\Mozilla\Firefox\Profiles\lfjw5c8q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07030901.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 16:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AFF62E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> 0x8aff62e0
\Driver\atapi -> atapi.sys @ 0xb9f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x012A14C00
malicious code @ sector 0x012A14C03 !
PE file found in sector at 0x012A14C19 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(5596)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\nvidia\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\windows\RTHDCPL.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\nvidia\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-03 17:05:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-03 22:05
ComboFix2.txt 2010-03-01 15:27

Pre-Run: 35,377,475,584 bytes free
Post-Run: 35,299,168,256 bytes free

- - End Of File - - 03DA808DA68461AADC32006318706991

Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·