GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-24 07:36:20 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS424040M9AT00 rev.MA2OA71A 37,26GB Running: urtys3uj.exe; Driver: C:\DOCUME~1\LAPTOP~1\USTAWI~1\Temp\uxtdqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB27937E4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB2792D90] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB279344A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xB2794040] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xB2795C20] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB2795F9E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xB279277C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xB27939D0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xB2793BE8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xB2792582] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB279482A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB2794A80] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB2795652] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB2793058] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB2793626] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB2794030] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xB27921B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB27932F2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xB27923B4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB2794C8E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB27950E2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xB2794EA0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB27945B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xB2793E54] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB279593E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xB279430A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB2792FC2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xB27931DE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xB2792B92] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB2792980] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 150 804E2724 4 Bytes [E8, 3B, 79, B2] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\alg.exe[196] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[196] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\ctfmon.exe[540] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\csrss.exe[668] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001450 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[668] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 100017F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[716] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00780630 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[824] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[924] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[936] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[980] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1088] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1184] rpcss.dll!WhichService 76A64234 8 Bytes JMP EDF01001 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1240] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00534850 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1240] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0054ECA0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] RPCRT4.dll!RpcServerRegisterIfEx 77E8CD53 5 Bytes JMP 1001F870 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1280] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1536] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1616] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\wscntfy.exe[1824] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[1896] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 c:\windows\system32\guard32.dll .text C:\WINDOWS\System32\svchost.exe[2068] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 c:\windows\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\laptop compaq\Pulpit\urtys3uj.exe[2676] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs AFPAnsi.sys AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys ---- Files - GMER 2.1 ---- File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4A42B8DB-104D-43FA-8D42-F886AD8CF630.data 13 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\4A42B8DB-104D-43FA-8D42-F886AD8CF630.data.info 84 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\74CA15F2-82AD-4A04-9A37-E859D53E8CDF.data 2838480 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\74CA15F2-82AD-4A04-9A37-E859D53E8CDF.data.info 346 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B7AD1E00-6A50-445B-978C-7D22C93BE366.data 427088 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\B7AD1E00-6A50-445B-978C-7D22C93BE366.data.info 242 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BA972760-77E7-42B5-B172-EC309E22705B.data 10320 bytes executable File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\BA972760-77E7-42B5-B172-EC309E22705B.data.info 238 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp 0 bytes File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd 0 bytes File C:\WINDOWS\hide.conf 13 bytes ---- EOF - GMER 2.1 ----