GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-21 20:56:44 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_SP2004C rev.VM100-50 186,31GB Running: ki7vyj5z.exe; Driver: C:\Users\antenka\AppData\Local\Temp\afliqfow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x8E6E5392] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x8E70024A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x8E700580] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x8E7008F6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x8E6E5E0C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x8E6FFF32] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x8E6E637E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8E630110] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x8E6E626C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x8E7003F0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x8E6E514E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x8E6E6496] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8E631296] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x8E6E59C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x8E6E5B32] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x8E6E65AE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x8E7004B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x8E6E6856] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x8E6E5E4E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x8E6E7858] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x8E6E6948] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8E62FA76] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x8E6E6EB4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x8E6FE722] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x8E6E6410] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8E630308] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x8E6E62F8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x8E6E55CC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x8E6E6C98] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x8E6E6528] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x8E6E54C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x8E6E6664] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x8E6FE91A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQuerySection [0x8E6E71DA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x8E6E6AE8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x8E7006E4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x8E700632] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x8E700750] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x8E6E76FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x8E7000BA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x8E6E5CAC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x8E6E6702] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x8E6E732A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8E62F9E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x8E6E741E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x8E6E7558] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x8E6E6778] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x8E6E576C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x8E6E56C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x8E6E7092] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x8E6E5858] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8307C9F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B61F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 830BD41C 4 Bytes [92, 53, 6E, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 830BD444 8 Bytes [4A, 02, 70, 8E, 80, 05, 70, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 830BD488 4 Bytes [F6, 08, 70, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 830BD4B4 4 Bytes [0C, 5E, 6E, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 830BD4D8 4 Bytes [32, FF, 6F, 8E] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[496] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 5 Bytes JMP 754E1ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[496] ntdll.dll!NtReplyWaitReceivePort 77496418 5 Bytes JMP 754E15D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[496] ntdll.dll!NtReplyWaitReceivePortEx 77496428 5 Bytes JMP 754E1A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[560] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 5 Bytes JMP 754E1ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[560] ntdll.dll!NtReplyWaitReceivePort 77496418 5 Bytes JMP 754E15D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[560] ntdll.dll!NtReplyWaitReceivePortEx 77496428 5 Bytes JMP 754E1A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\wininit.exe[568] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [11, 71] .text C:\Windows\system32\wininit.exe[568] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\wininit.exe[568] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\wininit.exe[568] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\wininit.exe[568] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\wininit.exe[568] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!RegisterRawInputDevices 75B25B52 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!RegisterRawInputDevices + 4 75B25B56 2 Bytes [32, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!SystemParametersInfoA 75B280E0 6 Bytes JMP 711E000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetParent 75B28314 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetParent + 4 75B28318 2 Bytes [2F, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!EnableWindow 75B28D02 6 Bytes JMP 7118000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!MoveWindow 75B28D29 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!MoveWindow + 4 75B28D2D 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\wininit.exe[568] USER32.dll!GetAsyncKeyState 75B2A256 6 Bytes JMP 7136000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!RegisterHotKey 75B2AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!RegisterHotKey + 4 75B2AA1D 2 Bytes [20, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!PostThreadMessageA 75B2AD09 6 Bytes JMP 7163000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendMessageA 75B2AD60 6 Bytes JMP 715D000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!PostMessageA 75B2B446 6 Bytes JMP 7169000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendNotifyMessageW 75B2C88A 6 Bytes JMP 7148000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SystemParametersInfoW 75B2E09A 6 Bytes JMP 711B000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 716F000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendMessageTimeoutW 75B2E459 6 Bytes JMP 7154000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!PostThreadMessageW 75B2EEFC 6 Bytes JMP 7160000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 716C000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!GetKeyState 75B32B4D 6 Bytes JMP 7139000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendMessageCallbackW 75B32F7B 6 Bytes JMP 714E000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!PostMessageW 75B3447B 6 Bytes JMP 7166000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendMessageW 75B35539 6 Bytes JMP 715A000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!GetClipboardData 75B42BA7 6 Bytes JMP 7124000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendNotifyMessageA 75B4493C 6 Bytes JMP 714B000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!mouse_event 75B46209 6 Bytes JMP 7175000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetClipboardViewer 75B46FF6 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetClipboardViewer + 4 75B46FFA 2 Bytes [29, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendDlgItemMessageW 75B470D8 6 Bytes JMP 7142000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendDlgItemMessageA 75B47241 6 Bytes JMP 7145000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!GetKeyboardState 75B56946 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!GetKeyboardState + 4 75B5694A 2 Bytes [3B, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!BlockInput 75B56A99 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!BlockInput + 4 75B56A9D 2 Bytes [26, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7172000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendMessageTimeoutA 75B56DA9 6 Bytes JMP 7157000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendInput 75B57019 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendInput + 4 75B5701D 2 Bytes [3E, 71] .text C:\Windows\system32\wininit.exe[568] USER32.dll!ExitWindowsEx 75B706C7 6 Bytes JMP 7115000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!keybd_event 75B7EC3B 6 Bytes JMP 7178000A .text C:\Windows\system32\wininit.exe[568] USER32.dll!SendMessageCallbackA 75B83E8B 6 Bytes JMP 7151000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!BitBlt 776372C0 6 Bytes JMP 7184000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!MaskBlt 7763C7AD 6 Bytes JMP 7181000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!StretchBlt 7763F467 6 Bytes JMP 717B000A .text C:\Windows\system32\wininit.exe[568] GDI32.dll!PlgBlt 77650F73 6 Bytes JMP 717E000A .text C:\Windows\system32\wininit.exe[568] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\wininit.exe[568] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[620] services.exe 00F61608 4 Bytes [80, 36, 01, 10] .text C:\Windows\system32\services.exe[620] services.exe 00F61618 4 Bytes [60, 3A, 01, 10] .text C:\Windows\system32\services.exe[620] services.exe 00F61638 4 Bytes [E0, 33, 01, 10] {LOOPNZ 0x35; ADD [EAX], EDX} .text C:\Windows\system32\services.exe[620] services.exe 00F61648 4 Bytes [80, 38, 01, 10] .text C:\Windows\system32\services.exe[620] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[620] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\services.exe[620] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[620] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[620] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[620] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[620] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[620] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[620] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[620] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[620] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[620] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[620] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[620] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[620] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[620] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[620] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[676] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[676] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[676] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[676] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[676] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[676] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[676] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[676] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[676] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[676] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[676] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[684] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[684] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[684] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[684] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[684] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[684] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[684] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[684] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[684] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[684] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[684] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[684] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[684] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[684] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[684] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[684] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[684] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[804] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[804] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[804] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[804] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[804] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[804] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[804] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[804] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[804] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[804] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[804] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[804] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[804] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[864] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[864] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[864] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[864] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[864] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[864] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[864] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[864] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[864] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[864] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcConnectPort 77495308 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcConnectPort + 4 7749530C 2 Bytes [6B, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcCreatePort 77495318 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcCreatePort + 4 7749531C 2 Bytes [6E, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [68, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtClose + 4 774954CC 2 Bytes [26, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtConnectPort 77495558 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtConnectPort + 4 7749555C 2 Bytes [41, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateEvent 774955A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateEvent + 4 774955AC 2 Bytes [59, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateEventPair 774955B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateEventPair + 4 774955BC 2 Bytes [53, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateFile 774955C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateFile + 4 774955CC 2 Bytes [32, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateMutant 77495648 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateMutant + 4 7749564C 2 Bytes [5F, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateNamedPipeFile 77495658 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateNamedPipeFile + 4 7749565C 2 Bytes [35, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreatePort 77495678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreatePort + 4 7749567C 2 Bytes [47, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateSection 774956E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateSection + 4 774956EC 2 Bytes [3B, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateSemaphore 774956F8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateSemaphore + 4 774956FC 2 Bytes [4D, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateWaitablePort 77495788 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateWaitablePort + 4 7749578C 2 Bytes [3E, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtFsControlFile 77495A08 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtFsControlFile + 4 77495A0C 2 Bytes [29, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenEvent 77495CB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenEvent + 4 77495CBC 2 Bytes [56, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenEventPair 77495CC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenEventPair + 4 77495CCC 2 Bytes [50, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenFile 77495CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenFile + 4 77495CDC 2 Bytes [2F, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenMutant 77495D58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenMutant + 4 77495D5C 2 Bytes [5C, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenSection 77495DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenSection + 4 77495DCC 2 Bytes [38, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenSemaphore 77495DD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenSemaphore + 4 77495DDC 2 Bytes [4A, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtQueryVirtualMemory 77496258 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtQueryVirtualMemory + 4 7749625C 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtReplyPort 77496408 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtReplyPort + 4 7749640C 2 Bytes [62, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtRequestWaitReplyPort 77496458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtRequestWaitReplyPort + 4 7749645C 2 Bytes [65, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtSecureConnectPort 77496528 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtSecureConnectPort + 4 7749652C 2 Bytes [44, 71] .text C:\Windows\system32\svchost.exe[876] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 7124000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetPrivateProfileStringW 75C67FCB 6 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!GetPrivateProfileStringA 75C6DEE1 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[876] kernel32.dll!RegOpenKeyExW 75C7CF71 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[876] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!RegisterClassExA 75B26293 6 Bytes JMP 7112000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!FindWindowExA 75B26F69 6 Bytes JMP 70DC000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetClassInfoExA 75B26FD9 6 Bytes JMP 7106000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetClassInfoA 75B27158 6 Bytes JMP 7100000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!UnregisterClassA 75B28D70 6 Bytes JMP 710C000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!FindWindowA 75B28FF3 6 Bytes JMP 70D6000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!FindWindowW 75B2AE0D 6 Bytes JMP 70D9000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!EnumDesktopWindows 75B2B4C7 6 Bytes JMP 70CA000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!EnumThreadWindows 75B2B712 6 Bytes JMP 70D0000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!UnregisterClassW 75B2B9AE 6 Bytes JMP 710F000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!RegisterClassA 75B2BC6A 6 Bytes JMP 7118000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateWindowExA 75B2BF40 6 Bytes JMP 70F4000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 708D000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateWindowExW 75B2EC7C 6 Bytes JMP 70F7000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!RegisterClassW 75B2ED4A 6 Bytes JMP 711B000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!RegisterClassExW 75B30162 6 Bytes JMP 7115000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetClassInfoExW 75B3095E 6 Bytes JMP 7109000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetClassInfoW 75B30AC2 6 Bytes JMP 7103000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 708A000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!EnumChildWindows 75B32948 6 Bytes JMP 70CD000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetClassNameW 75B32A29 6 Bytes JMP 70FD000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetShellWindow 75B32FCB 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetShellWindow + 4 75B32FCF 2 Bytes [A4, 71] .text C:\Windows\system32\svchost.exe[876] USER32.dll!EnumWindows 75B3375B 6 Bytes JMP 70D3000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateDialogParamA 75B41F42 6 Bytes JMP 70EB000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!DialogBoxParamW 75B43B9B 6 Bytes JMP 70E8000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateDialogIndirectParamA 75B4721D 6 Bytes JMP 709D000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateDialogIndirectParamW 75B4EA10 6 Bytes JMP 70A0000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!GetClassNameA 75B52445 6 Bytes JMP 70FA000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!DialogBoxIndirectParamAorW 75B53B40 6 Bytes JMP 70E2000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!DialogBoxIndirectParamW 75B53B7F 6 Bytes JMP 7098000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateDialogIndirectParamAorW 75B55327 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!CreateDialogParamW 75B55630 6 Bytes JMP 70EE000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7090000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!FindWindowExW 75B5712B 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!DialogBoxParamA 75B6CF42 6 Bytes JMP 70E5000A .text C:\Windows\system32\svchost.exe[876] USER32.dll!DialogBoxIndirectParamA 75B6D274 6 Bytes JMP 7095000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[876] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!StartServiceCtrlDispatcherW 772EA965 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegisterServiceCtrlHandlerW 772EA97D 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegisterServiceCtrlHandlerExW 772EA9AD 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!SetServiceStatus 772EC7A6 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegisterServiceCtrlHandlerA 773234C3 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!RegisterServiceCtrlHandlerExA 773234D3 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!StartServiceCtrlDispatcherA 77323553 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[876] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 70B7000A .text C:\Windows\system32\svchost.exe[876] rpcss.dll!CoGetComCatalog 749635EC 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[888] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[932] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[932] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[932] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[932] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[932] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[932] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[932] rpcss.dll!CoGetComCatalog 749635EC 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1024] ntdll.dll!NtAllocateVirtualMemory 774952D8 5 Bytes JMP 011B1E70 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1024] ntdll.dll!NtCreateFile 774955C8 5 Bytes JMP 011F53F0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1060] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1060] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1060] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1060] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1060] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1060] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1060] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1060] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1060] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1060] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1060] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1060] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1088] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1104] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1104] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1104] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1104] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1104] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1104] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1104] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1104] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1104] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1104] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1104] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1104] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1156] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1156] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1156] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1156] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1156] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1156] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1156] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1156] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1156] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1156] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1156] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1156] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1156] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1156] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1196] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1196] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1196] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1196] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1196] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1196] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1196] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1196] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1196] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1196] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1196] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1196] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1196] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1196] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1236] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1236] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1236] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1236] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1236] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1236] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[1304] ntdll.dll!NtAllocateVirtualMemory 774952D8 5 Bytes JMP 00B5AA50 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1348] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1348] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1348] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1348] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1388] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1476] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1476] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1476] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1476] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1608] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1616] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1616] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[1616] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1616] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1616] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1616] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1616] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1616] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1616] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1616] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1616] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1616] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1616] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1616] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[1616] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1616] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1616] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1720] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1720] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1720] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1720] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1720] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1720] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1720] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1720] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1720] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1752] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1752] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1752] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1752] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1752] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1752] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1752] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1752] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1752] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1752] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1892] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1900] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1900] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1900] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1900] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1900] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1900] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1900] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1900] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1900] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1900] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1900] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1900] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1900] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ntdll.dll!NtProtectVirtualMemory 77495F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] USER32.dll!NotifyWinEvent + 6AE 75B3D66C 4 Bytes [E0, 13, 54, 67] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[1924] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1976] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1976] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1976] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1976] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2032] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\System32\WUDFHost.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[2564] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\WUDFHost.exe[2564] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[2564] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\System32\WUDFHost.exe[2564] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\System32\WUDFHost.exe[2564] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\System32\WUDFHost.exe[2564] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\System32\WUDFHost.exe[2564] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\System32\WUDFHost.exe[2564] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\System32\WUDFHost.exe[2564] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\System32\WUDFHost.exe[2564] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\WUDFHost.exe[2564] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\System32\WUDFHost.exe[2564] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\WUDFHost.exe[2564] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\WUDFHost.exe[2564] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\WUDFHost.exe[2564] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\WUDFHost.exe[2564] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2772] ntdll.dll!NtAllocateVirtualMemory 774952D8 5 Bytes JMP 00BD1200 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2772] ntdll.dll!NtCreateFile 774955C8 5 Bytes JMP 00BD1000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Windows\system32\SearchIndexer.exe[2920] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2920] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[2920] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2920] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[2920] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[2920] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[2920] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[2920] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[2920] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[2920] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[2920] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[2920] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[2920] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[2920] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[2920] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[2920] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[2920] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtAlpcConnectPort 77495308 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtAlpcConnectPort + 4 7749530C 2 Bytes [6B, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtAlpcCreatePort 77495318 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtAlpcCreatePort + 4 7749531C 2 Bytes [6E, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [68, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtClose + 4 774954CC 2 Bytes [26, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtConnectPort 77495558 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtConnectPort + 4 7749555C 2 Bytes [41, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateEvent 774955A8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateEvent + 4 774955AC 2 Bytes [59, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateEventPair 774955B8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateEventPair + 4 774955BC 2 Bytes [53, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateFile 774955C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateFile + 4 774955CC 2 Bytes [32, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateMutant 77495648 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateMutant + 4 7749564C 2 Bytes [5F, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateNamedPipeFile 77495658 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateNamedPipeFile + 4 7749565C 2 Bytes [35, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreatePort 77495678 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreatePort + 4 7749567C 2 Bytes [47, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateSection 774956E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateSection + 4 774956EC 2 Bytes [3B, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateSemaphore 774956F8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateSemaphore + 4 774956FC 2 Bytes [4D, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateWaitablePort 77495788 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtCreateWaitablePort + 4 7749578C 2 Bytes [3E, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtFsControlFile 77495A08 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtFsControlFile + 4 77495A0C 2 Bytes [29, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenEvent 77495CB8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenEvent + 4 77495CBC 2 Bytes [56, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenEventPair 77495CC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenEventPair + 4 77495CCC 2 Bytes [50, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenFile 77495CD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenFile + 4 77495CDC 2 Bytes [2F, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenMutant 77495D58 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenMutant + 4 77495D5C 2 Bytes [5C, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenSection 77495DC8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenSection + 4 77495DCC 2 Bytes [38, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenSemaphore 77495DD8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtOpenSemaphore + 4 77495DDC 2 Bytes [4A, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtQueryVirtualMemory 77496258 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtQueryVirtualMemory + 4 7749625C 2 Bytes [2C, 71] {SUB AL, 0x71} .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtReplyPort 77496408 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtReplyPort + 4 7749640C 2 Bytes [62, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtRequestWaitReplyPort 77496458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtRequestWaitReplyPort + 4 7749645C 2 Bytes [65, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtSecureConnectPort 77496528 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!NtSecureConnectPort + 4 7749652C 2 Bytes [44, 71] .text C:\Windows\system32\svchost.exe[3280] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 7124000A .text C:\Windows\system32\svchost.exe[3280] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 70C0000A .text C:\Windows\system32\svchost.exe[3280] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 70BD000A .text C:\Windows\system32\svchost.exe[3280] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 70B4000A .text C:\Windows\system32\svchost.exe[3280] kernel32.dll!GetPrivateProfileStringW 75C67FCB 6 Bytes JMP 71AB000A .text C:\Windows\system32\svchost.exe[3280] kernel32.dll!GetPrivateProfileStringA 75C6DEE1 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[3280] kernel32.dll!RegOpenKeyExW 75C7CF71 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[3280] RPCRT4.dll!RpcServerRegisterIfEx 76CC09BC 6 Bytes JMP 70B1000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!RegisterClassExA 75B26293 6 Bytes JMP 7112000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!FindWindowExA 75B26F69 6 Bytes JMP 70DC000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetClassInfoExA 75B26FD9 6 Bytes JMP 7106000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetClassInfoA 75B27158 6 Bytes JMP 7100000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!UnregisterClassA 75B28D70 6 Bytes JMP 710C000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!FindWindowA 75B28FF3 6 Bytes JMP 70D6000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!FindWindowW 75B2AE0D 6 Bytes JMP 70D9000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!EnumDesktopWindows 75B2B4C7 6 Bytes JMP 70CA000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!EnumThreadWindows 75B2B712 6 Bytes JMP 70D0000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!UnregisterClassW 75B2B9AE 6 Bytes JMP 710F000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!RegisterClassA 75B2BC6A 6 Bytes JMP 7118000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateWindowExA 75B2BF40 6 Bytes JMP 70F4000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 708D000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateWindowExW 75B2EC7C 6 Bytes JMP 70F7000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!RegisterClassW 75B2ED4A 6 Bytes JMP 711B000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!RegisterClassExW 75B30162 6 Bytes JMP 7115000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetClassInfoExW 75B3095E 6 Bytes JMP 7109000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetClassInfoW 75B30AC2 6 Bytes JMP 7103000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 708A000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!EnumChildWindows 75B32948 6 Bytes JMP 70CD000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetClassNameW 75B32A29 6 Bytes JMP 70FD000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetShellWindow 75B32FCB 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetShellWindow + 4 75B32FCF 2 Bytes [A4, 71] .text C:\Windows\system32\svchost.exe[3280] USER32.dll!EnumWindows 75B3375B 6 Bytes JMP 70D3000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateDialogParamA 75B41F42 6 Bytes JMP 70EB000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!DialogBoxParamW 75B43B9B 6 Bytes JMP 70E8000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateDialogIndirectParamA 75B4721D 6 Bytes JMP 709D000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateDialogIndirectParamW 75B4EA10 6 Bytes JMP 70A0000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!GetClassNameA 75B52445 6 Bytes JMP 70FA000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!DialogBoxIndirectParamAorW 75B53B40 6 Bytes JMP 70E2000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!DialogBoxIndirectParamW 75B53B7F 6 Bytes JMP 7098000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateDialogIndirectParamAorW 75B55327 6 Bytes JMP 70F1000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!CreateDialogParamW 75B55630 6 Bytes JMP 70EE000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7090000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!FindWindowExW 75B5712B 6 Bytes JMP 70DF000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!DialogBoxParamA 75B6CF42 6 Bytes JMP 70E5000A .text C:\Windows\system32\svchost.exe[3280] USER32.dll!DialogBoxIndirectParamA 75B6D274 6 Bytes JMP 7095000A .text C:\Windows\system32\svchost.exe[3280] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 70A5000A .text C:\Windows\system32\svchost.exe[3280] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 70A8000A .text C:\Windows\system32\svchost.exe[3280] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 70AE000A .text C:\Windows\system32\svchost.exe[3280] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 70AB000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!StartServiceCtrlDispatcherW 772EA965 6 Bytes JMP 71A2000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!RegisterServiceCtrlHandlerW 772EA97D 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!RegisterServiceCtrlHandlerExW 772EA9AD 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!SetServiceStatus 772EC7A6 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 70BA000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!RegisterServiceCtrlHandlerA 773234C3 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!RegisterServiceCtrlHandlerExA 773234D3 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!StartServiceCtrlDispatcherA 77323553 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[3280] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 70B7000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3408] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[3464] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3464] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[3464] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[3464] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[3464] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[3464] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[3464] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[3464] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[3464] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[3464] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[3464] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[3464] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[3464] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[3464] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[3464] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[3464] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[3464] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[3472] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3472] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[3472] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[3472] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[3472] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[3472] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[3472] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[3472] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[3472] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[3472] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[3472] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[3472] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[3472] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[3472] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[3472] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[3472] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[3472] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3532] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3532] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[3532] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[3532] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[3532] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[3532] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[3532] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[3532] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[3532] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[3532] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[3532] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[3532] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[3532] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[3532] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[3532] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[3532] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[3532] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\AUDIODG.EXE[3732] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[3732] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[3732] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[3732] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[3732] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[3732] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[3732] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[3732] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[3732] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[3732] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[3732] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[3732] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[3732] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[3732] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[3732] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[3732] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[3732] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7195001E .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] advapi32.DLL!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3776] advapi32.DLL!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3812] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\wuauclt.exe[4484] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\wuauclt.exe[4484] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\wuauclt.exe[4484] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\wuauclt.exe[4484] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\wuauclt.exe[4484] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\wuauclt.exe[4484] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\wuauclt.exe[4484] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\wuauclt.exe[4484] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\wuauclt.exe[4484] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\wuauclt.exe[4484] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\wuauclt.exe[4484] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\wuauclt.exe[4484] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\wuauclt.exe[4484] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text D:\Bezpieczeństwo\X\Gmer\ki7vyj5z.exe[4644] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A .text C:\Windows\system32\LogonUI.exe[5224] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\LogonUI.exe[5224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\LogonUI.exe[5224] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\LogonUI.exe[5224] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Windows\system32\LogonUI.exe[5224] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A .text C:\Windows\system32\LogonUI.exe[5224] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Windows\system32\LogonUI.exe[5224] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Windows\system32\LogonUI.exe[5224] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Windows\system32\LogonUI.exe[5224] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\LogonUI.exe[5224] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\LogonUI.exe[5224] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\LogonUI.exe[5224] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\LogonUI.exe[5224] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\LogonUI.exe[5224] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Windows\system32\LogonUI.exe[5224] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\LogonUI.exe[5224] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Windows\system32\LogonUI.exe[5224] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ntdll.dll!NtAlpcSendWaitReceivePort 77495418 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7749541C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ntdll.dll!NtClose 774954C8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ntdll.dll!NtClose + 4 774954CC 2 Bytes [AE, 71] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ntdll.dll!NtProtectVirtualMemory 77495F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\ushata.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ntdll.dll!LdrUnloadDll 774AC86E 6 Bytes JMP 71A8000A ? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: 0.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] kernel32.dll!CreateProcessW 75C3204D 6 Bytes JMP 719F000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] kernel32.dll!CreateProcessA 75C32082 6 Bytes JMP 719C000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] kernel32.dll!CreateProcessAsUserW 75C659FF 6 Bytes JMP 7193000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] USER32.dll!SetWindowsHookExW 75B2E30C 6 Bytes JMP 7181000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] USER32.dll!SetWinEventHook 75B324DC 6 Bytes JMP 717E000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] USER32.dll!NotifyWinEvent + 6AE 75B3D66C 4 Bytes [E0, 13, 54, 67] .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] USER32.dll!SetWindowsHookExA 75B56D0C 6 Bytes JMP 7184000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] GDI32.dll!DeleteDC 77636EAA 6 Bytes JMP 7187000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] GDI32.dll!GetPixel 7763C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] GDI32.dll!CreateDCA 7763CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] GDI32.dll!CreateDCW 7763CF79 6 Bytes JMP 718D000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ADVAPI32.dll!CreateProcessAsUserA 77322538 6 Bytes JMP 7199000A .text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe[5968] ADVAPI32.dll!CreateProcessWithLogonW 773252E9 6 Bytes JMP 7196000A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Tcp kl1.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp kl1.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp kl1.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextSqmReportTime 2013-07-21 18:38:36 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{C4C1B71D-744F-11E2-B77B-806E6F6E6963} 1879049248 ---- Files - GMER 2.1 ---- File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable File C:\Program Files\Microsoft Security Client\en-us\EULA.RTF 139995 bytes File C:\Program Files\Microsoft Security Client\en-us\MpAsDesc.dll.mui 47672 bytes executable File C:\Program Files\Microsoft Security Client\en-us\mpevmsg.dll.mui 37968 bytes executable File C:\Program Files\Microsoft Security Client\en-us\MsMpRes.dll.mui 93752 bytes executable File C:\Program Files\Microsoft Security Client\en-us\msseooberes.dll.mui 15744 bytes executable File C:\Program Files\Microsoft Security Client\en-us\setupres.dll.mui 43088 bytes executable File C:\Program Files\Microsoft Security Client\en-us\shellext.dll.mui 9296 bytes executable File C:\Program Files\Microsoft Security Client\Backup\EppManifest.dll 182224 bytes executable File C:\Program Files\Microsoft Security Client\Backup\pl-pl 0 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\EULA.RTF 26750 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\Backup\setupres.dll 8760 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86 0 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\dw20shared.msi 1850368 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\epp.msi 7106560 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\LegitLib.dll 707448 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\setup.exe 847920 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86\sqmapi.dll 196416 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86\Windows6.0-KB981889-v2.msu 1241780 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\Windows6.1-KB981889.msu 907883 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter\mpfilter.cat 7679 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\mpfilter\mpfilter.sys 193552 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.cat 7595 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.inf 2997 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.man 13354 bytes File C:\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys 99272 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.cat 7679 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.sys 195296 bytes executable File C:\Program Files\Microsoft Security Client\Drivers\NisDrv 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.cat 7595 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.inf 2997 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.man 14762 bytes File C:\Program Files\Microsoft Security Client\Drivers\NisDrv\NisDrvWFP.sys 100328 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\EULA.RTF 26750 bytes File C:\Program Files\Microsoft Security Client\pl-pl\MpAsDesc.dll.mui 55864 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\MpEvMsg.dll.mui 42064 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\MsMpRes.dll.mui 107600 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\shellext.dll.mui 9296 bytes executable ---- EOF - GMER 2.1 ----