GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-23 15:50:29 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 ST3500418AS rev.CC46 465,76GB Running: bj9cef4v.exe; Driver: C:\DOCUME~1\Maciej\USTAWI~1\Temp\pxtdypow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwAddBootEntry [0xA42F5538] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xA4F8D7E4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwConnectPort [0xA42F6AA6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xA4F8D44A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwCreateKey [0xA42F5F78] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwCreateSection [0xA42F6726] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xA4F8FF9E] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwCreateThread [0xA42F4DC0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeleteBootEntry [0xA42F55A4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeleteFile [0xA42F5C80] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xA4F8D9D0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xA4F8DBE8] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDeviceIoControlFile [0xA42F4E9C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwDuplicateObject [0xA42F51DC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xA4F8E82A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xA4F8EA80] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwFsControlFile [0xA42F5C20] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateClientOfPort [0xA42F5BE6] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateThread [0xA42F5BA4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwLoadDriver [0xA42F74CE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xA4F8D058] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwMapViewOfSection [0xA42F5E7C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwModifyBootEntry [0xA42F556E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xA4F8D626] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xA4F8E030] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenProcess [0xA42F68B4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenSection [0xA42F62A0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwOpenThread [0xA42F699A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwProtectVirtualMemory [0xA42F6364] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xA4F8EC8E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xA4F8F0E2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xA4F8EEA0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwQueueApcThread [0xA42F4F5A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xA4F8E5B2] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwReplaceKey [0xA42F56C6] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwRequestWaitReplyPort [0xA42F7874] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwRestoreKey [0xA42F5610] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSecureConnectPort [0xA42F6B9A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetBootOptions [0xA42F55DA] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetContextThread [0xA42F4FBE] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetInformationFile [0xA42F5CE6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xA4F8DE54] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSetSystemInformation [0xA42F65FE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xA4F8E30A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwShutdownSystem [0xA42F54F0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwSystemDebugControl [0xA42F5030] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwTerminateProcess [0xA4301C60] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwTerminateThread [0xA4301C83] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys ZwWriteVirtualMemory [0xA42F7588] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CD1 805045C9 11 Bytes [55, 2F, A4, 80, 5C, 2F, A4, ...] {PUSH EBP; DAS ; MOVSB ; SBB BYTE [EDI+EBP-0x5c], 0xd0; FPREM ; MOVSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 805045D8 8 Bytes [E8, DB, F8, A4, 9C, 4E, 2F, ...] {CALL 0x9ca4f8e0; DEC ESI; DAS ; MOVSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2CF8 805045F0 4 Bytes CALL EB1CEAED .text ntkrnlpa.exe!ZwCallbackReturn + 2D00 805045F8 4 Bytes [80, EA, F8, A4] {SUB DL, 0xf8; MOVSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2EDD 805047D5 7 Bytes [E5, F8, A4, C6, 56, 2F, A4] .Shltr1 C:\Program Files\SpyShelter Personal Free\SpyShelter.sys entry point in ".Shltr1" section [0xA43320C5] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[148] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[148] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[284] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\csrss.exe[812] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001450 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[812] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 100017F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[884] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[896] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1052] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1108] rpcss.dll!WhichService 76A64234 8 Bytes JMP EDF01001 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1140] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00534850 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1140] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0054ECA0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1316] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[1632] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00780630 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1732] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1764] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[1788] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[1992] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wuauclt.exe[2972] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text D:\BEZPIECZEŃSTWO\GMER\bj9cef4v.exe[3288] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Configurations@Signature 0xCC 0x13 0x97 0x83 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F5F9B44C-528A-26D3-B2CE-1730ACC8FD16}\mlyaWLf@ fhNcjn?z|QFN[M^nd|hjZjcBHlE Reg HKLM\SOFTWARE\Classes\CLSID\{F5F9B44C-528A-26D3-B2CE-1730ACC8FD16}\ugqf@ ^M\\AhdspC^][zc ---- Files - GMER 2.1 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\96D12774-6FF3-4243-8658-BA678CA8F9D5.data.info 98 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3952A866-6290-42F8-B1D6-431138065860.data 4369970 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\3952A866-6290-42F8-B1D6-431138065860.data.info 238 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\528E7232-B2E1-4380-8739-7EFA89803925.data.info 174 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\59264A47-2C04-4756-A2EE-477D3FE179D9.data 1280201 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\59264A47-2C04-4756-A2EE-477D3FE179D9.data.info 238 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\613651A8-A230-4B59-B761-BFF3E51511A1.data 1210344 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\613651A8-A230-4B59-B761-BFF3E51511A1.data.info 218 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\96D12774-6FF3-4243-8658-BA678CA8F9D5.data 1280201 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\D37999FA-C62E-4A53-B242-1BA83A1B1FE7.data.info 292 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E8186609-62FA-4ADA-9726-C7EDDD22B322.data 4369970 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\E8186609-62FA-4ADA-9726-C7EDDD22B322.data.info 130 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F7761091-EE32-4502-BF58-DA02532DEA01.data 1230132 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\F7761091-EE32-4502-BF58-DA02532DEA01.data.info 240 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\Cookies 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\History 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\History\History.IE5 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\Temporary Internet Files 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\Temporary Internet Files\Content.IE5 0 bytes ---- EOF - GMER 2.1 ----