GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-01 14:53:43 Windows 5.1.2600 Dodatek Service Pack 3 Running: yp1cu9t6.exe; Driver: D:\DOCUME~1\GSIORE~1.G-D\USTAWI~1\Temp\agniqpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB497A4EE] SSDT B86A16AC ZwClose SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB497979E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB497A11C] SSDT B86A1666 ZwCreateKey SSDT B86A16B6 ZwCreateSection SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB497C882] SSDT B86A165C ZwCreateThread SSDT B86A166B ZwDeleteKey SSDT B86A1675 ZwDeleteValueKey SSDT B86A16A7 ZwDuplicateObject SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB497B994] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB497BBA8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB497C288] SSDT B86A167A ZwLoadKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB4979A82] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xB497CB54] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xB497B752] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB497A314] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB497ADB0] SSDT B86A1648 ZwOpenProcess SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB4979D36] SSDT B86A164D ZwOpenThread SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB497BD1A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB497BFCE] SSDT B86A16CF ZwQueryValueKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB497B4A8] SSDT B86A1684 ZwReplaceKey SSDT B86A16C0 ZwRequestWaitReplyPort SSDT B86A167F ZwRestoreKey SSDT B86A16BB ZwSetContextThread SSDT B86A16C5 ZwSetSecurityObject SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB497C588] SSDT B86A1670 ZwSetValueKey SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB49799EC] SSDT B86A16CA ZwSystemDebugControl SSDT B86A1657 ZwTerminateProcess SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB497934C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 24E9 80501D11 7 Bytes [C2, 97, B4, 7A, 16, 6A, B8] {RET 0xb497; JP 0x1b; PUSH -0x48} .text ntkrnlpa.exe!ZwCallbackReturn + 2665 80501E8D 7 Bytes [B4, 97, B4, 84, 16, 6A, B8] {MOV AH, 0x97; MOV AH, 0x84; PUSH SS; PUSH -0x48} .text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6DA73A0, 0x83C195, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text D:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[276] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 00401000 D:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avguard.exe[348] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Bonjour\mDNSResponder.exe[376] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7190000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7196000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [92, 71] .text D:\Program Files\Bonjour\mDNSResponder.exe[376] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717B000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 717E000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 7178000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7184000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718A000A .text D:\Program Files\Bonjour\mDNSResponder.exe[376] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7187000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe[500] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\csrss.exe[732] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 5 Bytes JMP 100015D0 D:\WINDOWS\system32\cmdcsr.dll .text D:\WINDOWS\system32\csrss.exe[732] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 5 Bytes JMP 10001A50 D:\WINDOWS\system32\cmdcsr.dll .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\services.exe[816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\services.exe[816] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\services.exe[816] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\services.exe[816] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text D:\WINDOWS\system32\services.exe[816] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\services.exe[816] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\services.exe[816] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\services.exe[816] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\services.exe[816] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\services.exe[816] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\services.exe[816] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [72, 71] {JB 0x73} .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6F, 71] .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\lsass.exe[832] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A2, 71] .text D:\WINDOWS\system32\lsass.exe[832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text D:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text D:\WINDOWS\system32\lsass.exe[832] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text D:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718E000A .text D:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7194000A .text D:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\lsass.exe[832] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [90, 71] .text D:\WINDOWS\system32\lsass.exe[832] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 7179000A .text D:\WINDOWS\system32\lsass.exe[832] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 717C000A .text D:\WINDOWS\system32\lsass.exe[832] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 7176000A .text D:\WINDOWS\system32\lsass.exe[832] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text D:\WINDOWS\system32\lsass.exe[832] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7182000A .text D:\WINDOWS\system32\lsass.exe[832] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7188000A .text D:\WINDOWS\system32\lsass.exe[832] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7185000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\nvsvc32.exe[1004] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\nvsvc32.exe[1004] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\system32\nvsvc32.exe[1004] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\nvsvc32.exe[1004] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\nvsvc32.exe[1004] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\nvsvc32.exe[1004] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1076] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text D:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\svchost.exe[1076] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\svchost.exe[1076] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\svchost.exe[1076] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\svchost.exe[1076] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1124] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text D:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\svchost.exe[1124] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\svchost.exe[1124] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\svchost.exe[1124] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\svchost.exe[1124] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\svchost.exe[1124] rpcss.dll!WhichService 76A63C84 8 Bytes [D0, 2F, 01, 10, 90, 2D, 01, ...] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7190000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7196000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [92, 71] .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7184000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718A000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7187000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717B000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 717E000A .text D:\Program Files\Java\jre6\bin\jqs.exe[1176] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 7178000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Google\Update\GoogleUpdate.exe[1188] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1220] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 00401ED0 D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1220] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00441820 D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1264] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1264] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1264] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text D:\WINDOWS\system32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\svchost.exe[1264] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\svchost.exe[1264] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\svchost.exe[1264] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\svchost.exe[1264] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\svchost.exe[1264] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[1360] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1420] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\svchost.exe[1420] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1420] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\svchost.exe[1420] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\svchost.exe[1420] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Avira\AntiVir Desktop\avshadow.exe[1444] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1560] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\svchost.exe[1560] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\svchost.exe[1560] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\svchost.exe[1560] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\svchost.exe[1560] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\svchost.exe[1560] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1604] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\System32\svchost.exe[1612] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\System32\svchost.exe[1612] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\System32\svchost.exe[1612] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\System32\svchost.exe[1612] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text D:\WINDOWS\System32\svchost.exe[1612] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\System32\svchost.exe[1612] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\System32\svchost.exe[1612] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\System32\svchost.exe[1612] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\System32\svchost.exe[1612] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\System32\svchost.exe[1612] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\System32\svchost.exe[1612] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\spoolsv.exe[1760] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\spoolsv.exe[1760] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\spoolsv.exe[1760] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\spoolsv.exe[1760] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\spoolsv.exe[1760] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\spoolsv.exe[1760] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\spoolsv.exe[1760] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\spoolsv.exe[1760] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\spoolsv.exe[1760] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\spoolsv.exe[1760] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\sched.exe[1912] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\svchost.exe[1928] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\svchost.exe[1928] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\svchost.exe[1928] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\svchost.exe[1928] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\svchost.exe[1928] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\svchost.exe[1928] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\svchost.exe[1928] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\svchost.exe[1928] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\Explorer.EXE[1936] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\Explorer.EXE[1936] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\Explorer.EXE[1936] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\Explorer.EXE[1936] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\Explorer.EXE[1936] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\Explorer.EXE[1936] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\Explorer.EXE[1936] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\Explorer.EXE[1936] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\Explorer.EXE[1936] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\Explorer.EXE[1936] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\Explorer.EXE[1936] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2536] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\program files\real\realplayer\update\realsched.exe[2596] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\program files\real\realplayer\update\realsched.exe[2596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\program files\real\realplayer\update\realsched.exe[2596] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\program files\real\realplayer\update\realsched.exe[2596] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\program files\real\realplayer\update\realsched.exe[2596] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text D:\program files\real\realplayer\update\realsched.exe[2596] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\program files\real\realplayer\update\realsched.exe[2596] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\program files\real\realplayer\update\realsched.exe[2596] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\program files\real\realplayer\update\realsched.exe[2596] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\program files\real\realplayer\update\realsched.exe[2596] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\program files\real\realplayer\update\realsched.exe[2596] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\program files\real\realplayer\update\realsched.exe[2596] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\program files\real\realplayer\update\realsched.exe[2596] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\program files\real\realplayer\update\realsched.exe[2596] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\program files\real\realplayer\update\realsched.exe[2596] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\program files\real\realplayer\update\realsched.exe[2596] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Common Files\Java\Java Update\jucheck.exe[2708] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2848] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\SOUNDMAN.EXE[2916] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\SOUNDMAN.EXE[2916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\SOUNDMAN.EXE[2916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\SOUNDMAN.EXE[2916] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\SOUNDMAN.EXE[2916] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\RUNDLL32.EXE[2924] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6E, 71] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 7178000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 717B000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 7175000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Avira\AntiVir Desktop\avgnt.exe[2952] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\ctfmon.exe[3028] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\WINDOWS\system32\ctfmon.exe[3028] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\WINDOWS\system32\ctfmon.exe[3028] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\WINDOWS\system32\ctfmon.exe[3028] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\WINDOWS\system32\ctfmon.exe[3028] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\WINDOWS\system32\ctfmon.exe[3028] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\WINDOWS\system32\ctfmon.exe[3028] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\WINDOWS\system32\ctfmon.exe[3028] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\WINDOWS\system32\ctfmon.exe[3028] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\WINDOWS\system32\ctfmon.exe[3028] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\WINDOWS\system32\ctfmon.exe[3028] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\WINDOWS\system32\ctfmon.exe[3028] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\WINDOWS\system32\ctfmon.exe[3028] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\WINDOWS\system32\ctfmon.exe[3028] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\WINDOWS\system32\ctfmon.exe[3028] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3060] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Ustawienia lokalne\Dane aplikacji\Facebook\Update\FacebookUpdate.exe[3092] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Documents and Settings\Gšsiorek.G-D81B3B7B737E4\Pulpit\Anty viry\yp1cu9t6.exe[3408] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[3428] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2B 0x8F 0x2A 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB2 0x70 0x4E 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0xA0 0x7E 0x8A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF5 0x29 0x53 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x29 0xC0 0xD8 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x26 0x0A 0x21 0x3F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2B 0x8F 0x2A 0xD9 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB2 0x70 0x4E 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0xA0 0x7E 0x8A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF5 0x29 0x53 0x16 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x29 0xC0 0xD8 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x26 0x0A 0x21 0x3F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2B 0x8F 0x2A 0xD9 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB2 0x70 0x4E 0xC1 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0xA0 0x7E 0x8A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF5 0x29 0x53 0x16 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x29 0xC0 0xD8 0xB8 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x26 0x0A 0x21 0x3F ... ---- EOF - GMER 2.1 ----