Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojware.win32.rootkit.podnuha.~L@1604959 [Closed]

Started by gszamora , Jan 16 2009 09:11 PM

  • This topic is locked This topic is locked

#1
gszamora
Posted 16 January 2009 - 09:11 PM

gszamora

    Member

  • Member
  • PipPip
  • 20 posts
Hi,

I was getting lots of pop-ups recently and a friend advised to install COMODO antivirus. The pop-ups are gone, but I can't get rid of something called trojware.win32.rootkit.podnuha.~L@1604959. I've been through some posts here but as I am not terribly computer savvy (from the older generation), I need some guidance in helping me to remove this. The warning from COMODO comes up after I turn on my computer and click on Internet Explorer. I click the removal button, then I reboot as asked, and the problem starts all over again when I click on Internet Explorer. If I do not reboot, and go to my home page, the warning comes up at random.

Thanks in advance!!

George
  • 0

Advertisements

#2
handhfan
Posted 20 January 2009 - 08:04 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Hello, gszamora, and welcome to GeeksToGo! Before I can help you, please do the following:

Please follow the steps in this topic, and post back with an HijackThis log and MBAM (Malware Byte's Anti-Malware) log if you are still having problems and I will look over the logs for you. :)
  • 0

#3
gszamora
Posted 25 January 2009 - 12:35 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Handhfan,

Thanks for your help!!! I ran the programs you suggested and still cannot get rid of the win32.rootkit.podnuha. It is still popping up when I click on Internet Explorer and at random as I work online. Here is the log from Hijack This followed by the uninstall list. Thank you again for all your help!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:57 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69D289F8-9346-4182-BEBA-03EA0E8D62F4} - c:\windows\system32\ktgsues.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {843B0AFC-DCF5-4231-83E1-80C6D615C2EF} - C:\WINDOWS\system32\cewmdms.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1155865080843
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: hvnjdolb - C:\WINDOWS\SYSTEM32\ktgsues.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8528 bytes

And, here's the uninstall list...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:33:50 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69D289F8-9346-4182-BEBA-03EA0E8D62F4} - c:\windows\system32\ktgsues.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {843B0AFC-DCF5-4231-83E1-80C6D615C2EF} - C:\WINDOWS\system32\cewmdms.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1155865080843
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/...mjolauncher.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.c...ebio5_1_5_0.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\guard32.dll C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: hvnjdolb - C:\WINDOWS\SYSTEM32\ktgsues.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 8523 bytes
  • 0

#4
handhfan
Posted 27 January 2009 - 01:28 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Download GMER from here:

  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

  • 0

#5
gszamora
Posted 01 February 2009 - 08:36 AM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi,

Here are the results from GMER; by the way, I ran the scan twice as the first time I ran it I got a "blue screen warning" and my computer shut off. Is this normal? I was able to run it with no problems the second time. Thanks again for all your help!!!

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-01 09:31:55
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF6BA6906]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xF6BA5E66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF6BA64C2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF6BA70D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF6BA5BC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF6BA7DC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF6BA6AEC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xF6BA5796]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF6BA6D3A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF6BA6EEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF6BA54F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF6BA7A42]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF6BA60AC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF6BA66FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF6BA5228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF6BA633C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF6BA53A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF6BA7496]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF6BA5CDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF6BA77FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF6BA7BF0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF6BA7296]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF6BA6046]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF6BA6230]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xF6BA5A8A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xF6BA5958]

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 40C 804E2A68 1 Byte [ F0 ]
.text ntoskrnl.exe!_abnormal_termination + 40E 804E2A6A 2 Bytes [ BA, F6 ]
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 837D3178

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\svchost.exe[316] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[316] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[316] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\DSentry.exe[612] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[612] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[660] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[692] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[736] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[756] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[756] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[780] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Windows Defender\MSASCui.exe[884] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[884] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[888] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[920] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[920] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\SafeSurf\cssurf.exe[928] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[984] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[996] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1096] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1152] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1152] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[1268] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1268] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1296] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1296] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1392] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1392] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[1412] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1500] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1500] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[1776] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1776] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\cisvc.exe[1876] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1876] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00395810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00395740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003953D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003916D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00391550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00391860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00391230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 003913C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 47, 88 ]
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003950E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1888] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00395260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1920] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00375810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1920] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00375740 C:\WINDOWS
  • 0

#6
handhfan
Posted 01 February 2009 - 09:48 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Comodo is blocking everything. Can you try disabling Comodo and then run GMER again?

  • Right-click the System Tray Icon.
  • Select Exit.
  • On the Pop up window, Click the Yes button.

  • 0

#7
gszamora
Posted 02 February 2009 - 05:35 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Disabled COMODO and ran GMER. Here's the result and once again, thank you so much!!!

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-02 18:31:22
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF72B5906]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xF72B4E66]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF72B54C2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xF72B60D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF72B4BC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF72B6DC0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF72B5AEC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xF72B4796]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xF72B5D3A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xF72B5EEA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF72B44F8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF72B6A42]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF72B50AC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF72B56FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xF72B4228]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF72B533C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xF72B43A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF72B6496]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF72B4CDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF72B67FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF72B6BF0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xF72B6296]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF72B5046]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF72B5230]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xF72B4A8A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xF72B4958]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 837D3178

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\svchost.exe[356] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[356] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[356] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\DSentry.exe[484] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\DSentry.exe[484] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe[512] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[520] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Windows Defender\MSASCui.exe[528] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MSASCui.exe[528] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[536] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[664] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[664] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[692] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[692] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[736] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[736] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[748] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[748] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[908] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[908] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\FinePixViewerS\QuickDCF2.exe[960] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[976] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe[1052] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Windows Defender\MsMpEng.exe[1072] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1128] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1128] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1288] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1288] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1368] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1368] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1492] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1492] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[1752] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[1792] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1792] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\cisvc.exe[1892] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\cisvc.exe[1892] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10005260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00395810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00395740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003953D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003916D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00391550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00391860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00391230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 003913C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 47, 88 ]
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003950E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1904] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00395260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 00375810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00375740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 003753D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003716D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00371550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00371860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00371230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 003713C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [ 45, 88 ]
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 003750E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Executive Software\Diskeeper\DkService.exe[1952] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00375260 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1992] ntdll.dll!NtClose 7C90CFD0 5 Bytes JMP 10005810 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1992] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 10005740 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1992] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 100053D0 C:\WINDOWS\system32\guard32.
  • 0

#8
handhfan
Posted 02 February 2009 - 11:21 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

The log for OTListIt2 will be very long and may not fit in one post. Please make sure that it didn't get cut off, and feel free to post the rest of it in a separate reply. :)
  • 0

#9
gszamora
Posted 08 February 2009 - 01:51 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks as always for your help!! I am having some problems running OTList. While it's running, I get a pop-up from COMODO advising of rootkit.podnuha and that freezes OTList from continuing to run. I've tried 3 times and the pop-up keeps coming up.

Thanks!!!

G
  • 0

#10
handhfan
Posted 08 February 2009 - 08:43 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Edited by handhfan, 08 February 2009 - 09:25 PM.

  • 0

Advertisements

#11
gszamora
Posted 14 February 2009 - 01:28 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you as always for you help!! I downloaded combofix but am a little afraid to run it as I am unsure as to how to perform this:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Again, I'm not computer savvy so any help is truly appreciated.

Thanks!!
  • 0

#12
handhfan
Posted 14 February 2009 - 08:19 PM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
This is how you would disable it. :) The warning there is for imformational purposes. If you are still worried, we'll do it in Safe Mode. There will be no protection running there, and will be no need for worries.

To boot into Safe Mode, restart your computer. Just before the Windows logo appears, press the F8 key. A list of options will appear. Select "Safe Mode."

Edited by handhfan, 14 February 2009 - 08:21 PM.

  • 0

#13
gszamora
Posted 18 February 2009 - 10:48 PM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks again!! I had ran it in safe mode and it kept telling me that COMODO was still running so I completely deleted COMODO. Let me know if I should download it again as I'm starting to get pop-ups. Here's the Combofix results:

ComboFix 09-02-15.01 - Administrator 2009-02-16 14:57:45.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.483 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\George Zamora\Local Settings\Temporary Internet Files\research%20projects.doc
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-16 14:41 . 2003-04-15 14:11 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-16 14:41 . 2009-02-16 14:41 <DIR> d-------- c:\documents and settings\Administrator
2009-02-06 17:52 . 2009-02-06 17:52 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-01 09:07 . 2009-02-02 18:14 250 --a------ c:\windows\gmer.ini
2009-01-31 10:27 . 2009-01-31 10:27 <DIR> d-------- c:\program files\American Airlines TravelDesk
2009-01-25 10:20 . 2009-01-25 10:20 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-25 10:20 . 2009-01-25 10:20 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-25 10:20 . 2009-01-25 10:20 <DIR> d-------- c:\windows\l2schemas
2009-01-25 09:21 . 2009-01-25 09:21 61,440 --a------ c:\windows\SYSTEM32\DRIVERS\ohgkd.sys
2009-01-25 09:02 . 2009-01-25 09:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 09:02 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-25 09:02 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-25 08:56 . 2009-01-25 08:58 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 19:53 --------- d-----w c:\program files\COMODO
2009-02-16 18:07 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-16 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\_comodo_
2009-02-08 13:43 --------- d-----w c:\program files\Google
2009-02-06 22:52 --------- d-----w c:\program files\Java
2008-12-24 22:01 --------- d-----w c:\program files\Trend Micro
2003-06-25 03:38 16,051,496 -c--a-w c:\program files\AdbeRdr60_enu_full.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D289F8-9346-4182-BEBA-03EA0E8D62F4}]
2002-08-29 05:00 105984 --a------ c:\windows\system32\ktgsues.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{843B0AFC-DCF5-4231-83E1-80C6D615C2EF}]
2008-11-12 18:31 120576 --a------ c:\windows\system32\cewmdms.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-20 98304]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 136600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-13 29744]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-03 278264]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-09-13 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hvnjdolb]
2002-08-29 05:00 105984 c:\windows\SYSTEM32\ktgsues.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 14:16 5058560 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2004-04-20 21:46 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-11-12 12:24 106557 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-10-06 14:16 741376 c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ypvuknro;ypvuknro;c:\windows\SYSTEM32\DRIVERS\ypvuknro.sys [2002-08-29 23424]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-01-03 29744]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lxgxaxhn
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: airliners.net\www
Trusted Zone: cubagenweb.org\www
Trusted Zone: miami-dadeclerk.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 15:01:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-16 15:06:24 - machine was rebooted [George Zamora]
ComboFix-quarantined-files.txt 2009-02-16 20:05:33

Pre-Run: 46,670,675,968 bytes free
Post-Run: 45,927,350,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

142 --- E O F --- 2009-02-15 01:39:07
  • 0

#14
handhfan
Posted 19 February 2009 - 12:26 AM

handhfan

    Trusted Helper

  • Expert
  • 13,659 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
ypvuknro

File::
c:\windows\SYSTEM32\DRIVERS\ypvuknro.sys
c:\windows\system32\ktgsues.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hvnjdolb]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69D289F8-9346-4182-BEBA-03EA0E8D62F4}]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#15
gszamora
Posted 21 February 2009 - 07:10 AM

gszamora

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi!!! Thanks again for your help!! Following is the latest log:

ComboFix 09-02-19.01 - George Zamora 2009-02-21 7:57:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.385 [GMT -5:00]
Running from: c:\documents and settings\George Zamora\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\George Zamora\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\DRIVERS\ypvuknro.sys
c:\windows\system32\ktgsues.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\DRIVERS\ypvuknro.sys
c:\windows\system32\ktgsues.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YPVUKNRO
-------\Service_ypvuknro


((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-19 00:10 . 2009-02-21 07:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Comodo
2009-02-16 14:41 . 2003-04-15 14:11 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-02-16 14:41 . 2009-02-16 14:41 <DIR> d-------- c:\documents and settings\Administrator
2009-02-06 17:52 . 2009-02-06 17:52 410,984 --a------ c:\windows\SYSTEM32\deploytk.dll
2009-02-01 09:07 . 2009-02-02 18:14 250 --a------ c:\windows\gmer.ini
2009-01-31 10:27 . 2009-01-31 10:27 <DIR> d-------- c:\program files\American Airlines TravelDesk
2009-01-25 10:20 . 2009-01-25 10:20 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-01-25 10:20 . 2009-01-25 10:20 <DIR> d-------- c:\windows\SYSTEM32\en
2009-01-25 10:20 . 2009-01-25 10:20 <DIR> d-------- c:\windows\l2schemas
2009-01-25 09:21 . 2009-01-25 09:21 61,440 --a------ c:\windows\SYSTEM32\DRIVERS\ohgkd.sys
2009-01-25 09:02 . 2009-01-25 09:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 09:02 . 2009-01-14 16:11 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-01-25 09:02 . 2009-01-14 16:11 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-01-25 08:56 . 2009-01-25 08:58 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 12:54 --------- d-----w c:\program files\COMODO
2009-02-20 23:43 --------- d-----w c:\program files\Google
2009-02-20 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-16 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\_comodo_
2009-02-06 22:52 --------- d-----w c:\program files\Java
2008-12-24 22:01 --------- d-----w c:\program files\Trend Micro
2003-06-25 03:38 16,051,496 -c--a-w c:\program files\AdbeRdr60_enu_full.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_15.04.10.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-21 13:01:33 16,384 ----atw c:\windows\temp\Perflib_Perfdata_8c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{843B0AFC-DCF5-4231-83E1-80C6D615C2EF}]
2008-11-12 18:31 120576 --a------ c:\windows\system32\cewmdms.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-03-20 213936]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-04-20 98304]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-06 136600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-13 29744]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-03 278264]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-09-13 303104]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-10-06 14:16 5058560 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2004-04-20 21:46 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a--c--- 2004-11-12 12:24 106557 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2003-10-06 14:16 741376 c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-01-03 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - YPVUKNRO

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
lxgxaxhn
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: airliners.net\www
Trusted Zone: cubagenweb.org\www
Trusted Zone: miami-dadeclerk.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 08:01:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-21 8:05:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 13:05:16
ComboFix2.txt 2009-02-16 20:06:27

Pre-Run: 46,162,640,896 bytes free
Post-Run: 46,129,311,744 bytes free

140 --- E O F --- 2009-02-19 22:31:27
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP