GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-14 14:49:03 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8032GAX rev.AD002D 74,53GB Running: urqi5w7v.exe; Driver: C:\DOCUME~1\azer\LOCALS~1\Temp\uwtcapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB54027E4] SSDT BA74E06C ZwClose SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB5401D90] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB540244A] SSDT BA74E026 ZwCreateKey SSDT BA74E076 ZwCreateSection SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB5404F9E] SSDT BA74E01C ZwCreateThread SSDT BA74E02B ZwDeleteKey SSDT BA74E035 ZwDeleteValueKey SSDT BA74E067 ZwDuplicateObject SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB540382A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB5403A80] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB5404652] SSDT BA74E03A ZwLoadKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB5402058] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB5402626] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB5403030] SSDT BA74E008 ZwOpenProcess SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB54022F2] SSDT BA74E00D ZwOpenThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB5403C8E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB54040E2] SSDT BA74E08F ZwQueryValueKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB54035B2] SSDT BA74E044 ZwReplaceKey SSDT BA74E080 ZwRequestWaitReplyPort SSDT BA74E03F ZwRestoreKey SSDT BA74E07B ZwSetContextThread SSDT BA74E085 ZwSetSecurityObject SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB540493E] SSDT BA74E030 ZwSetValueKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB5401FC2] SSDT BA74E08A ZwSystemDebugControl SSDT BA74E017 ZwTerminateProcess SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB5401980] ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9964000, 0x1C5D58, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\spoolsv.exe[280] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\spoolsv.exe[280] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\SCardSvr.exe[320] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[404] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[600] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] RPCRT4.dll!RpcServerRegisterIfEx 77E6CD73 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[636] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] RPCRT4.dll!RpcServerRegisterIfEx 77E6CD73 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[712] rpcss.dll!WhichService 76874234 8 Bytes JMP EDF01001 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[788] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 00534850 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[788] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes JMP 0054ECA0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\Ati2evxx.exe[816] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\Ati2evxx.exe[816] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 10001450 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 100017F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] RPCRT4.dll!RpcServerRegisterIfEx 77E6CD73 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[956] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Java\jre6\bin\jqs.exe[964] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] RPCRT4.dll!RpcServerRegisterIfEx 77E6CD73 5 Bytes JMP 1001F870 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\services.exe[1104] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\lsass.exe[1116] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1296] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1464] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1708] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] advapi32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] advapi32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\DFServ.exe[1788] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 0288D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 0289BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 0289B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 02897F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 0288D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02895070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02895C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 02893BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 028944D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 02898D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 02898AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 02899E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[1828] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 02899D10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Documents and Settings\azer\Bureau\urqi5w7v.exe[1856] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\Explorer.EXE[1864] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\svchost.exe[1892] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2292] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\COMODO\COMODO Internet Security\cfp.exe[2816] ntdll.dll!NtAllocateVirtualMemory 7C91CF6E 5 Bytes JMP 00780630 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] advapi32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] advapi32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe[2856] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 015EDFF0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01D79796 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01D79773 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 015F5F1A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] GDI32.dll!SetDIBitsToDevice + 20A 77EF9E14 7 Bytes JMP 01D796F4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3048] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3068] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ntdll.dll!NtClose 7C91CFEE 5 Bytes JMP 1001D120 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ntdll.dll!NtReplyWaitReceivePort 7C91DA8E 5 Bytes JMP 1002BCD0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ntdll.dll!NtReplyWaitReceivePortEx 7C91DA9E 5 Bytes JMP 1002B9B0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 10027F40 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ntdll.dll!LdrUnloadDll 7C9271CD 5 Bytes JMP 1001D240 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10025070 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10025C00 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] GDI32.dll!DeleteDC 77EF6E5F 5 Bytes JMP 10028D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] GDI32.dll!GetPixel 77EFB74C 5 Bytes JMP 10028AE0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] GDI32.dll!CreateDCA 77EFB7D2 5 Bytes JMP 10029E10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] GDI32.dll!CreateDCW 77EFBE38 5 Bytes JMP 10029D10 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ADVAPI32.dll!CreateProcessAsUserW 77DBA8A9 5 Bytes JMP 10023BA0 C:\WINDOWS\system32\guard32.dll .text C:\WINDOWS\System32\alg.exe[3100] ADVAPI32.dll!CreateProcessAsUserA 77DE0CE8 5 Bytes JMP 100244D0 C:\WINDOWS\system32\guard32.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 DeepFrz.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 ntkrnlpa.exe AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 mouclass.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 DeepFrz.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 ntkrnlpa.exe AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mouclass.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 8A683830 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 1056 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\cleanup.old??\??\C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@VideoInitTime 3484 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Tag 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ImagePath \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@DisplayName mbamchameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@Protected C:\Documents and Settings\azer\Bureau\mbar\ Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ProtectedRegistry \REGISTRY\MACHINE\SYSTEM\CONTROLSET*\SERVICES\MBAMCHAMELEON\*? Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@RefCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon@ProtectedPaths \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\? Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances@DefaultInstance mbamchameleon Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances\mbamchameleon Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances\mbamchameleon Instance@Altitude 400900 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Instances\mbamchameleon Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\mbamchameleon Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Tag 5 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@ImagePath \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@LogFileName \??\C:\Documents and Settings\azer\Bureau\mbar\system-log.txt Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@LogLevel 5 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy@DeleteFlag 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\MBAMSwissArmy Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1141 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@LeaseObtainedTime 1381751662 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@T1 1381766062 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@T2 1381776862 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@LeaseTerminatesTime 1381780462 Reg HKLM\SYSTEM\CurrentControlSet\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@LeaseObtainedTime 1381751662 Reg HKLM\SYSTEM\CurrentControlSet\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@T1 1381766062 Reg HKLM\SYSTEM\CurrentControlSet\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@T2 1381776862 Reg HKLM\SYSTEM\CurrentControlSet\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@LeaseTerminatesTime 1381780462 Reg HKLM\SYSTEM\ControlSet002\Control\Lsa@LsaPid 1056 Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@PendingFileRenameOperations \??\C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\cleanup.old??\??\C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)?? Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management\PrefetchParameters@VideoInitTime 3484 Reg HKLM\SYSTEM\ControlSet002\Control\Watchdog\Display@ShutdownCount 278 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System@EventMessageFile %systemroot%\system32\stisvc.exe Reg HKLM\SYSTEM\ControlSet002\Services\mbamchameleon@RefCount 1 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@Type 2 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@Start 4 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@Tag 1 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@ImagePath system32\drivers\MBAMSwissArmy.sys Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@DisplayName MBAMSwissArmy Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@Group System Reserved Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@LogFileName \??\C:\Documents and Settings\azer\Bureau\mbar\system-log.txt Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@LogLevel 5 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy@DeleteFlag 1 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy\Instances@DefaultInstance MBAMSwissArmy Instance Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy\Instances\MBAMSwissArmy Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\MBAMSwissArmy\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch@Epoch 1134 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters@DhcpNameServer 109.88.203.3 62.197.111.140 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@LeaseObtainedTime 1381750542 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@T1 1381764942 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@T2 1381775742 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@LeaseTerminatesTime 1381779342 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@DhcpNameServer 109.88.203.3 62.197.111.140 Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@DhcpDefaultGateway 213.213.229.1? Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}@DhcpSubnetMaskOpt 255.255.255.0? Reg HKLM\SYSTEM\ControlSet002\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@LeaseObtainedTime 1381750542 Reg HKLM\SYSTEM\ControlSet002\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@T1 1381764942 Reg HKLM\SYSTEM\ControlSet002\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@T2 1381775742 Reg HKLM\SYSTEM\ControlSet002\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@LeaseTerminatesTime 1381779342 Reg HKLM\SYSTEM\ControlSet002\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@DhcpDefaultGateway 213.213.229.1? Reg HKLM\SYSTEM\ControlSet002\Services\{1EBCC4F6-A20A-464E-BF43-5CC86F4611E9}\Parameters\Tcpip@DhcpSubnetMaskOpt 255.255.255.0? Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Data@Timestamp.{1861B42B-B05F-47B8-8566-BEE85A4D4FDC} 0x2E 0xD7 0x5B 0x52 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro\Data@Timestamp.{B7F04E87-441A-4F26-BE21-C4339F539F87} 0x8A 0xDB 0x5B 0x52 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo -1189570024 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo -1189570024 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1957994488-1604221776-725345543-1003\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo -1189570024 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1957994488-1604221776-725345543-1003\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1957994488-1604221776-725345543-1003\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo -1189413774 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-1957994488-1604221776-725345543-1003\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce@ (A0) cmd /c "C:\Documents and Settings\azer\Bureau\mbar\mbar.exe" /rdv /s Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextSqmReportTime 2013-10-14 11:52:24 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@OfflineDetectionPending 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@StartTime 2013/10/14-13:51:29 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 25 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 25 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19@ProfileLoadTimeLow -1223163774 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19@ProfileLoadTimeHigh 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19@RefCount 2 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20@ProfileLoadTimeLow -1268476274 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20@ProfileLoadTimeHigh 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1957994488-1604221776-725345543-1003@ProfileLoadTimeLow -1250976274 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1957994488-1604221776-725345543-1003@ProfileLoadTimeHigh 30329043 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1957994488-1604221776-725345543-1003@RefCount 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@ScrollPos1280x768(1).y 0 ---- EOF - GMER 2.1 ----