Please Check

[swordie_037]

Spybot scanned before windows startup. I really don't know if it has that capability nowadays so I'm not sure if it's a routine check. I also don't know if this pc is infected since it found no problem at all. Please check this log file if is something is wrong. Thank you very much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:24 AM, on 11/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\VDOTool\TBPanel.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Pando Networks\Media Booster\PMB.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Gainward] D:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Pando Media Booster] D:\Program Files\Pando Networks\Media Booster\PMB.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - D:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4517 bytes

[Broni]

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

******************************************************************************************
Due to a bug in Malwarebytes, you may see in MBAM's log following entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit)
DO NOT remove those entries!
If you do, your computer will become UN-bootable.
The issue has been fixed in the latest MBAM update, so, it's EXTREMELY important, you update MBAM before you run it.
****************************************************************************************

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[swordie_037]

I've scanned it using superantispyware & malwarebytes. No problem was found. I'll post the logs below. Thank you very much.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/14/2009 at 02:54 PM

Application Version : 4.29.1004

Core Rules Database Version : 4271
Trace Rules Database Version: 2154

Scan type : Complete Scan
Total Scan Time : 01:12:58

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 4273
Registry threats detected : 0
File items scanned : 30168
File threats detected : 0

Malwarebytes' Anti-Malware 1.41
Database version: 3168
Windows 5.1.2600 Service Pack 2

11/14/2009 3:33:15 PM
mbam-log-2009-11-14 (15-33-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128058
Time elapsed: 23 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[swordie_037]

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-14 16:11:30
Windows 5.1.2600 Service Pack 2
Running: 78h30c7f.exe; Driver: D:\DOCUME~1\LEO37\LOCALS~1\Temp\ffriaaow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xEE2E3D46]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE0A76B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xEE2E3250]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xEE2E38EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE0A7574]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xEE2E3132]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xEE2E5254]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xEE2E552C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xEE2E2CF8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xEE2E3F2C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE0A7A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE0A714C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xEE2E4ED6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xEE2E34D4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xEE2E3B2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE0A764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE0A708C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xEE2E3764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE0A70F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE0A776E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xEE2E4688]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xEE2E49F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE0A772E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xEE2E4C72]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xEE2E5084]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE0A78AE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xEE2E346E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xEE2E3658]
SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE1640B0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xEE2E2ECA]
---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 113 804E4FD4 4 Bytes JMP 3EEE2E38

---- User code sections - GMER 1.0.15 ----

.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10008B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10008A60 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 10001A90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 10001D50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 10001CF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 10001D10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 10001B50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 10001CB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

[swordie_037]

.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 10001CD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 10001C90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 10001BF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 10001C70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 10001B90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 10001B10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 10001BD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 10001B70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 10001C10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 10001C50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 10001C30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 10001BB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 10001D70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 10001AB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 10008700 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 10008450 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 10008590 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 10001E10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 10001DF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 10001DB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\spoolsv.exe[448] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 10001DD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10008B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10008A60 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 10001A90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 10001D50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 10001CF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 10001D10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 10001B50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 10001CB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 10001CD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 10001C90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 10001BF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 10001C70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 10001B90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 10001B10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 10001BD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 10001B70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 10001C10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 10001C50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 10001C30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 10001BB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 10001D70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 10001AB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

[swordie_037]

.text D:\WINDOWS\system32\services.exe[628] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 10008700 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 10008450 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 10008590 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 10001E10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 10001DF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 10001DB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\services.exe[628] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 10001DD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10008B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 10001930 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 100019D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 10001990 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 100018B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 10001A10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10004550 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10008A60 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 100019F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 10001B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 10001D90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 10001AF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 10001AD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10001D30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10001A70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10001A50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 10001A90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 10001D50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 10001CF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 10001D10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 10001B50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 10001CB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 10001CD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 10001C90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 10001BF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 10001C70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 10001B90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 10001B10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 10001BD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 10001B70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 10001C10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 10001C50 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 10001C30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 10001BB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 10001D70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 10001AB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 10001480 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 10001640 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 10001000 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 10001250 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 10008700 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!WSASocketW 71AB39CB 7 Bytes JMP 10001E90 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!WSASocketA 71AB8769 5 Bytes JMP 10001E70 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 10008450 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 10008590 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 10001E10 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 10001DF0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 10001DB0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\lsass.exe[640] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 10001DD0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 10001950 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10008B30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 100018D0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 10001890 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 100019B0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 10001910 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 10001A30 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 10001970 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)
.text D:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 100018F0 D:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO)

[Broni]

You did well. Sometimes, GMER is that long. In the future, you can simply attach it.


Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

=============================================================

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

nothing malicious to remove

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [igfxtray] D:\WINDOWS\system32\igfxtray.exe
- O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
- O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
- O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
- O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

5. Click on Fix checked button.

6. Restart computer.


When done....


Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

[swordie_037]

Maybe what happened to spybot was a routine scan. Thank you very much for the help. Keep up the good work helping people. This is my latest HJT log. Just making sure there aren't any problems.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:53 AM, on 11/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\VDOTool\TBPanel.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\igfxsrvc.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Gainward] D:\Program Files\VDOTool\TBPanel.exe /A
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - D:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4983 bytes

[Broni]

You're welcome