[Resolved] TR/Dropper.Gen

**ash_dome** · 24-07-2009

Hi

I have Avira AntiVir Personal. It detected TR/Dropper.Gen
It infected alot of my files. Mostly the folders where i store everything.

What can I do?

When I repair, Avira seems to quarantine the entire folders.
I cannot lose these files! Help!

**broni** · 24-07-2009

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.14972 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
TrendSecure | Download TrendMicro HijackThis
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**ash_dome** · 24-07-2009

Did I post this in the wrong category?
No reply, Help!!

**Dan Penny** · 25-07-2009

Are you saying that you can't see any replies to your post?

**ash_dome** · 25-07-2009

Sorry, my bad. I guess I didnt wait for the whole page to load or something

**ash_dome** · 25-07-2009

I did. up to step 2. here are the results

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 07/25/2009 at 04:15 PM

Application Version : 4.26.1006

Core Rules Database Version : 4019
Trace Rules Database Version: 1959

Scan type : Complete Scan
Total Scan Time : 01:58:31

Memory items scanned : 235
Memory threats detected : 0
Registry items scanned : 6108
Registry threats detected : 34
File items scanned : 188711
File threats detected : 1

Trojan.Smitfraud Variant-Gen/IEDef
HKLM\Software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Control
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\InprocServer32
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\InprocServer32#ThreadingModel
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\ProgID
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Programmable
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\TypeLib
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Version
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\VersionIndependentProgID
HKCR\XunLeiBHO.ThunderIEHelper.1
HKCR\XunLeiBHO.ThunderIEHelper.1\CLSID
HKCR\XunLeiBHO.ThunderIEHelper
HKCR\XunLeiBHO.ThunderIEHelper\CLSID
HKCR\XunLeiBHO.ThunderIEHelper\CurVer
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR
C:\PROGRAM FILES\THUNDER\COMDLLS\XUNLEIBHO_NOW.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKU\S-1-5-21-1960408961-1677128483-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\ProxyStubClsid
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\ProxyStubClsid32
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\TypeLib
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\TypeLib#Version
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\ProxyStubClsid
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\ProxyStubClsid32
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\TypeLib
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\TypeLib#Version

Malwarebytes' Anti-Malware 1.39
Database version: 2500
Windows 5.1.2600 Service Pack 2

7/25/2009 5:47:42 PM
mbam-log-2009-07-25 (17-47-42).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 290276
Time elapsed: 37 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{cf018852-ba64-4908-8a33-84ee67a1251f}\RP183\A0052713.exe (Malware.Tool) -> Quarantined and deleted successfully.
c:\system volume information\_restore{cf018852-ba64-4908-8a33-84ee67a1251f}\RP183\A0052714.exe (Malware.Tool) -> Quarantined and deleted successfully.
f:\p.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\system volume information\_restore{b0fe6bf7-1739-4e57-9b2d-b9a467bba369}\RP17\A0003484.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\system volume information\_restore{b0fe6bf7-1739-4e57-9b2d-b9a467bba369}\RP17\A0003487.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

**ash_dome** · 26-07-2009

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-25 20:57:39
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF38572A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xF38567C2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xF3856E5C]
SSDT F7B99F5E ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xF385651C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xF3858776]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF3857486]
SSDT F7B99F54 ZwCreateThread
SSDT F7B99F63 ZwDeleteKey
SSDT F7B99F6D ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xF3855E4C]
SSDT spyc.sys ZwEnumerateKey [0xF72A5CA2]
SSDT spyc.sys ZwEnumerateValueKey [0xF72A6030]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xF38583F8]
SSDT F7B99F72 ZwLoadKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xF3856A46]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xF3857094]
SSDT spyc.sys ZwOpenKey [0xF72870C0]
SSDT F7B99F40 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xF3856CD6]
SSDT F7B99F45 ZwOpenThread
SSDT spyc.sys ZwQueryKey [0xF72A6108]
SSDT spyc.sys ZwQueryValueKey [0xF72A5F88]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xF3857E30]
SSDT F7B99F7C ZwReplaceKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xF385663A]
SSDT F7B99F77 ZwRestoreKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xF3858194]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xF38585A6]
SSDT F7B99F68 ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xF38569E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xF3856BCA]
SSDT F7B99F4F ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xF38562B4]

INT 0x63 ? 85F07BF8
INT 0x83 ? 8624CBF8
INT 0x83 ? 8624CBF8
INT 0x83 ? 85F07BF8
INT 0x83 ? 8624CBF8
INT 0xA4 ? 85F07BF8

---- Kernel code sections - GMER 1.0.15 ----

? spyc.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6BF762C 5 Bytes JMP 85F071D8

---- User code sections - GMER 1.0.15 ----

.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 009D1950 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 009D7210 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 009D18D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 009D1890 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 009D19B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 009D1910 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 009D1A30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 009D1970 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 009D18F0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 009D1930 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 009D19D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 009D1990 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 009D18B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 7 Bytes JMP 009D2240 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 009D1A10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009D31B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009D7140 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 009D19F0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009D1B30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009D1D90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 009D1AF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009D1AD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009D1D30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009D1A70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009D1A50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 009D1A90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 009D1D50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 009D1CF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 009D1D10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 009D1B50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 009D1CB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 009D1CD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 009D1C90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 009D1BF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 009D1C70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 009D1B90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 009D1B10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 009D1BD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 009D1B70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 009D1C10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 009D1C50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 009D1C30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 009D1BB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 009D1D70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 009D1AB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] GDI32.dll!BitBlt 77F16DC0 5 Bytes JMP 009D2E70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] GDI32.dll!CreateDCA 77F1CE55 5 Bytes JMP 009D2840 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] GDI32.dll!CreateDCW 77F2F8CF 5 Bytes JMP 009D29D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 009D6E00 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] USER32.dll!mouse_event 77D96321 5 Bytes JMP 009D2CE0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] USER32.dll!keybd_event 77D96365 5 Bytes JMP 009D2B60 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 009D1480 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 009D1640 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 009D1000 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 009D1250 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 009D6B10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 009D6C90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 009D1E10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 009D1DF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 009D1DB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\system32\RUNDLL32.EXE[260] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 009D1DD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 019A1950 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 019A7210 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 019A18D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 019A1890 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 019A19B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 019A1910 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 019A1A30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 019A1970 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 019A18F0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 019A1930 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 019A19D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 019A1990 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 019A18B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 7 Bytes JMP 019A2240 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 019A1A10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 019A31B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 019A7140 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 019A19F0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 019A1B30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 019A1D90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 019A1AF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 019A1AD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 019A1D30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 019A1A70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 019A1A50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 019A1A90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 019A1D50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 019A1CF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 019A1D10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 019A1B50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 019A1CB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 019A1CD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 019A1C90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 019A1BF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 019A1C70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 019A1B90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 019A1B10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 019A1BD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 019A1B70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 019A1C10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 019A1C50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 019A1C30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 019A1BB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 019A1D70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 019A1AB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 019A6E00 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] USER32.dll!mouse_event 77D96321 5 Bytes JMP 019A2CE0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] USER32.dll!keybd_event 77D96365 5 Bytes JMP 019A2B60 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] GDI32.dll!BitBlt 77F16DC0 5 Bytes JMP 019A2E70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] GDI32.dll!CreateDCA 77F1CE55 5 Bytes JMP 019A2840 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] GDI32.dll!CreateDCW 77F2F8CF 5 Bytes JMP 019A29D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 019A1480 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 019A1640 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 019A1000 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 019A1250 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 019A6B10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 019A6C90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 019A1E10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 019A1DF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 019A1DB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\RTHDCPL.EXE[268] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 019A1DD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 00CD1950 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00CD7210 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00CD18D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00CD1890 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 00CD19B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 00CD1910 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 00CD1A30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 00CD1970 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 00CD18F0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00CD1930 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 00CD19D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 00CD1990 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00CD18B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 7 Bytes JMP 00CD2240 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 00CD1A10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00CD31B0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00CD7140 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 00CD19F0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CD1B30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CD1D90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 00CD1AF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CD1AD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CD1D30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CD1A70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CD1A50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00CD1A90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00CD1D50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 00CD1CF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 00CD1D10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00CD1B50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 00CD1CB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 00CD1CD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 00CD1C90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 00CD1BF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 00CD1C70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 00CD1B90 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 00CD1B10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 00CD1BD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 00CD1B70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 00CD1C10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 00CD1C50 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 00CD1C30 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 00CD1BB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00CD1D70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 00CD1AB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 00CD6E00 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] USER32.dll!mouse_event 77D96321 5 Bytes JMP 00CD2CE0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] USER32.dll!keybd_event 77D96365 5 Bytes JMP 00CD2B60 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] GDI32.dll!BitBlt 77F16DC0 5 Bytes JMP 00CD2E70 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] GDI32.dll!CreateDCA 77F1CE55 5 Bytes JMP 00CD2840 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] GDI32.dll!CreateDCW 77F2F8CF 5 Bytes JMP 00CD29D0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 00CD1480 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 00CD1640 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 00CD1000 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 00CD1250 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 00CD1E10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 00CD1DF0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 00CD1DB0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 00CD1DD0 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 00CD6B10 D:\WINDOWS\system32\guard32.dll
.text D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE[276] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 00CD6C90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 00931950 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00937210 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 009318D0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00931890 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 009319B0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 00931910 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 00931A30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 00931970 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 009318F0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00931930 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 009319D0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 00931990 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 009318B0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 7 Bytes JMP 00932240 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 00931A10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009331B0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00937140 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 009319F0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00931B30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00931D90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 00931AF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00931AD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00931D30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00931A70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00931A50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00931A90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00931D50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 00931CF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 00931D10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00931B50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 00931CB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 00931CD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 00931C90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 00931BF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 00931C70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 00931B90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 00931B10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 00931BD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 00931B70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 00931C10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 00931C50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 00931C30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 00931BB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00931D70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 00931AB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 00931480 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 00931640 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 00931000 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ADVAPI32.dll!CreateServiceW 77E37209 7 Bytes JMP 00931250 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] GDI32.dll!BitBlt 77F16DC0 5 Bytes JMP 00932E70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] GDI32.dll!CreateDCA 77F1CE55 5 Bytes JMP 00932840 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] GDI32.dll!CreateDCW 77F2F8CF 5 Bytes JMP 009329D0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 00936E00 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] USER32.dll!mouse_event 77D96321 5 Bytes JMP 00932CE0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] USER32.dll!keybd_event 77D96365 5 Bytes JMP 00932B60 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] WININET.dll!InternetConnectA 771C44DB 5 Bytes JMP 00931E30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] WININET.dll!InternetConnectW 771D5D4C 1 Byte [E9]
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] WININET.dll!InternetConnectW 771D5D4C 5 Bytes JMP 00931E50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ole32.dll!CoCreateInstanceEx 77525FB1 5 Bytes JMP 00936B10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] ole32.dll!CoGetClassObject 7753F356 5 Bytes JMP 00936C90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] SHELL32.dll!ShellExecuteExW 7CA0D5FE 5 Bytes JMP 00931E10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] SHELL32.dll!ShellExecuteEx 7CA0FB1C 5 Bytes JMP 00931DF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] SHELL32.dll!ShellExecuteA 7CA0FE44 5 Bytes JMP 00931DB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\COMODO\SafeSurf\cssurf.exe[284] SHELL32.dll!ShellExecuteW 7CAB2988 5 Bytes JMP 00931DD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 00BE1950 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00BE7210 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 00BE18D0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 00BE1890 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 00BE19B0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtDeleteFile 7C90D88F 5 Bytes JMP 00BE1910 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtFreeVirtualMemory 7C90DA48 5 Bytes JMP 00BE1A30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtLoadDriver 7C90DB6E 5 Bytes JMP 00BE1970 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes JMP 00BE18F0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00BE1930 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtSetInformationProcess 7C90E62D 5 Bytes JMP 00BE19D0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtUnloadDriver 7C90E8F7 5 Bytes JMP 00BE1990 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00BE18B0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 7 Bytes JMP 00BE2240 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!RtlAllocateHeap 7C9105D4 5 Bytes JMP 00BE1A10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00BE31B0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BE7140 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ntdll.dll!LdrGetProcedureAddress 7C919B88 5 Bytes JMP 00BE19F0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BE1B30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BE1D90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!LoadLibraryExW 7C801AF1 7 Bytes JMP 00BE1AF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BE1AD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BE1D30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BE1A70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BE1A50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00BE1A90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00BE1D50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!GetModuleHandleA 7C80B529 5 Bytes JMP 00BE1CF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!GetModuleHandleW 7C80E63C 5 Bytes JMP 00BE1D10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00BE1B50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!DeleteFileA 7C81E85C 5 Bytes JMP 00BE1CB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!DeleteFileW 7C81F73D 5 Bytes JMP 00BE1CD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!MoveFileWithProgressW 7C821565 5 Bytes JMP 00BE1C90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!MoveFileA 7C822294 5 Bytes JMP 00BE1BF0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!MoveFileWithProgressA 7C8222B3 5 Bytes JMP 00BE1C70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CopyFileW 7C825779 5 Bytes JMP 00BE1B90 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!OpenFile 7C826B99 5 Bytes JMP 00BE1B10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CopyFileExW 7C82EFF2 7 Bytes JMP 00BE1BD0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CopyFileA 7C830053 5 Bytes JMP 00BE1B70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!MoveFileW 7C839659 5 Bytes JMP 00BE1C10 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!MoveFileExW 7C83991F 5 Bytes JMP 00BE1C50 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!MoveFileExA 7C85D2A3 5 Bytes JMP 00BE1C30 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!CopyFileExA 7C85E1A4 5 Bytes JMP 00BE1BB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00BE1D70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] kernel32.dll!LoadModule 7C86125E 5 Bytes JMP 00BE1AB0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] USER32.dll!EndTask 77D89C9D 5 Bytes JMP 00BE6E00 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] USER32.dll!mouse_event 77D96321 5 Bytes JMP 00BE2CE0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] USER32.dll!keybd_event 77D96365 5 Bytes JMP 00BE2B60 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] GDI32.dll!BitBlt 77F16DC0 5 Bytes JMP 00BE2E70 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] GDI32.dll!CreateDCA 77F1CE55 5 Bytes JMP 00BE2840 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] GDI32.dll!CreateDCW 77F2F8CF 5 Bytes JMP 00BE29D0 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ADVAPI32.dll!OpenServiceW 77DE6165 7 Bytes JMP 00BE1480 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ADVAPI32.dll!OpenServiceA 77DEB88C 7 Bytes JMP 00BE1640 D:\WINDOWS\system32\guard32.dll
.text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[324] ADVAPI32.dll!CreateServiceA 77E37071 7 Bytes JMP 00BE1000 D:\WINDOWS\system32\gua

**broni** · 26-07-2009

GMER log is incomplete.

**ash_dome** · 26-07-2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:42 AM, on 7/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\COMODO\Firewall\cmdagent.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE
D:\Program Files\COMODO\SafeSurf\cssurf.exe
D:\Program Files\COMODO\Firewall\cfp.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Philips\Philips-SkypeSoftPhone\SoftPhone.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ÌÚÑ¶Ê×Ò³
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - D:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - D:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstan ce.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [EPSON ME 1] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE /P10 "EPSON ME 1" /O6 "USB001" /M "ME 1"
O4 - HKLM\..\Run: [COMODO SafeSurf] "D:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [UUCallMini] "D:\Documents and Settings\Hsing Wong\Application Data\Microsoft\Internet Explorer\Quick Launch\UUCall????3.exe" -autorun
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON ME 1 (Copy 1)] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3W 1.EXE /P19 "EPSON ME 1 (Copy 1)" /O6 "USB001" /M "ME 1"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [QQ2009] "E:\Program Files\Tencent\QQ2009\Bin\QQ.exe" /background
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Hsing Wong\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Philips IPP-Skype Soft Phone.lnk = D:\Program Files\Philips\Philips-SkypeSoftPhone\SoftPhone.exe
O8 - Extra context menu item: Add to QQ Customized Emoticons - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: Add to QQ Customized Panel - D:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - D:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Send Picture with QQ MMS - D:\Program Files\Tencent\QQ\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - D:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: Ê¹ÓÃÑ¸À×ÏÂÔØ - C:\Program Files\Thunder\Program\geturl.htm
O8 - Extra context menu item: Ê¹ÓÃÑ¸À×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder\Program\getallurl.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: Tencent QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - D:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQìÅ²Ê¹¤¾ßÌõÉèÖÃ - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1235091004734
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: D:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - D:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8555 bytes

**ash_dome** · 26-07-2009

sorry i've been tryin to post the full gmer here but no luck so far. i keep getting this
Fatal error: Maximum execution time of 30 seconds exceeded in /home/7068/daldafor/www.d-a-l.com/public_html/help/includes/functions.php on line 1729

[Resolved] TR/Dropper.Gen

[Resolved] TR/Dropper.Gen

Similar Threads

[Resolved] Help with removal of Trojan Horse Dropper.VB.4.J

Trojan horse Dropper Small.22.BO

dropper delf 3 L

trojan horse dropper delf