GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-17 16:57:29 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721616PLAT80 rev.P22OA85A 153,38GB Running: vurycw67.exe; Driver: C:\Users\DAWIDK~1\AppData\Local\Temp\pxldapoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8E03B4CA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8E03B6BE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8E03A77A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8E03B0F8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8E03AE8A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8E03C27E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8E03A124] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8E03B908] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8E03BC84] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8E03AA5E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8E03B2F0] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8E03AD12] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8E03BF84] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8E03A9C8] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8E03ABFE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8E03A55A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8E03A328] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82A40A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7A212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 82A8146C 4 Bytes [CA, B4, 03, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82A81494 4 Bytes [BE, B6, 03, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 82A81528 4 Bytes [7A, A7, 03, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 82A81544 4 Bytes [F8, B0, 03, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82A8158C 4 Bytes [8A, AE, 03, 8E] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [68, 71] .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 7196000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 718D000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 718A000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7181000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 716F000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 716C000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7172000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7175000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7178000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 717E000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 717B000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] advapi32.DLL!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7187000A .text C:\Users\dawid karol\Local Settings\Apps\F.lux\flux.exe[100] advapi32.DLL!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7184000A .text C:\Windows\system32\csrss.exe[376] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 5 Bytes JMP 10001ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[376] ntdll.dll!NtReplyWaitReceivePort 77F06458 5 Bytes JMP 100015D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[376] ntdll.dll!NtReplyWaitReceivePortEx 77F06468 5 Bytes JMP 10001A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[464] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 5 Bytes JMP 10001ED0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[464] ntdll.dll!NtReplyWaitReceivePort 77F06458 5 Bytes JMP 100015D0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[464] ntdll.dll!NtReplyWaitReceivePortEx 77F06468 5 Bytes JMP 10001A50 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\svchost.exe[468] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[468] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[468] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[468] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[468] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[468] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[468] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[468] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[468] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[468] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[468] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[468] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[468] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[468] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[468] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[468] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[468] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[516] services.exe 01001608 4 Bytes [80, 36, 27, 00] .text C:\Windows\system32\services.exe[516] services.exe 01001618 4 Bytes [60, 3A, 27, 00] .text C:\Windows\system32\services.exe[516] services.exe 01001638 4 Bytes [E0, 33, 27, 00] .text C:\Windows\system32\services.exe[516] services.exe 01001648 4 Bytes [80, 38, 27, 00] .text C:\Windows\system32\services.exe[516] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[516] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\services.exe[516] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[516] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[516] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[516] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\services.exe[516] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\services.exe[516] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[516] RPCRT4.dll!RpcServerRegisterIfEx 77BD08A4 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[516] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[516] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[516] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[516] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[516] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[516] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[516] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[516] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[516] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[524] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsass.exe[524] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[524] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[524] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[524] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsass.exe[524] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[524] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[524] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[524] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[524] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[524] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[524] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[524] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[524] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[524] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[524] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[532] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[532] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\lsm.exe[532] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[532] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[532] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[532] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\lsm.exe[532] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[532] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[532] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[532] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[532] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[532] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[532] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[532] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[532] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[532] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[532] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[680] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[680] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[680] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[680] RPCRT4.dll!RpcServerRegisterIfEx 77BD08A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[680] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[680] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[680] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[680] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[680] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[680] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[680] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[680] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[740] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[740] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[740] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[740] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[740] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[740] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[740] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[740] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[740] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[740] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[740] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[740] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[740] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[760] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[800] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[800] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[800] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[800] RPCRT4.dll!RpcServerRegisterIfEx 77BD08A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[800] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[800] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[800] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[800] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[800] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[800] rpcss.dll!CoGetComCatalog 6E5D35EC 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] ntdll.dll!NtAllocateVirtualMemory 77F05318 5 Bytes JMP 00401EF0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[848] ntdll.dll!NtCreateFile 77F05608 5 Bytes JMP 004452C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[968] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[968] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[968] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[968] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[968] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[968] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[968] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[968] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[968] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1008] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1008] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1008] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1008] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1008] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1008] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1048] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1048] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\svchost.exe[1048] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1048] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1048] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1048] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\System32\svchost.exe[1048] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1048] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1048] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1048] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1048] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1048] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1048] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1048] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1048] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1048] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1088] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1088] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1088] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1088] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1088] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1088] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1088] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1120] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1120] RPCRT4.dll!RpcServerRegisterIfEx 77BD08A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1120] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1120] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1120] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1120] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1120] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1120] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1380] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1380] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1380] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1380] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1380] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1380] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1380] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1380] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1380] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1476] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\System32\spoolsv.exe[1476] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1476] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1476] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1476] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\System32\spoolsv.exe[1476] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1476] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1476] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1476] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1476] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1476] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1476] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1476] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1476] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1476] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1476] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1536] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\nvvsvc.exe[1544] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\nvvsvc.exe[1544] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\nvvsvc.exe[1544] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\nvvsvc.exe[1544] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\nvvsvc.exe[1544] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\nvvsvc.exe[1544] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\nvvsvc.exe[1544] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\nvvsvc.exe[1544] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\nvvsvc.exe[1544] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\nvvsvc.exe[1544] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\nvvsvc.exe[1544] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\nvvsvc.exe[1544] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\nvvsvc.exe[1544] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\nvvsvc.exe[1544] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\nvvsvc.exe[1544] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\nvvsvc.exe[1544] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1568] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [77, 71] {JA 0x73} .text C:\Windows\system32\svchost.exe[1568] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1568] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1568] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1568] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1568] RPCRT4.dll!RpcServerRegisterIfEx 77BD08A4 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1568] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1568] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1568] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1568] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1568] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1568] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1568] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1568] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[1736] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1736] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[1736] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1736] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1736] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[1736] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[1736] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[1736] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[1736] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[1736] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1736] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[1812] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[1812] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[1812] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[1812] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[1812] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[1812] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[1812] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[1812] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[1812] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[1812] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[1812] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1828] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1828] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\Explorer.EXE[1828] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[1828] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\Explorer.EXE[1828] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[1828] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[1828] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[1828] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[1828] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[1828] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[1828] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[1828] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[1828] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[1828] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[1828] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[1828] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[1828] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [68, 71] .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7181000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 716F000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 716C000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7172000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7175000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7178000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 717E000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 717B000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7187000A .text C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe[2024] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2268] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2268] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2268] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2268] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2268] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2268] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2428] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 717E000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[2500] ntdll.dll!NtAllocateVirtualMemory 77F05318 5 Bytes JMP 0040AA70 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Windows\system32\AUDIODG.EXE[2856] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[2856] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\AUDIODG.EXE[2856] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[2856] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[2856] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[2856] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719E001E .text C:\Windows\system32\AUDIODG.EXE[2856] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719B001E .text C:\Windows\system32\AUDIODG.EXE[2856] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[2856] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[2856] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[2856] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[2856] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[2856] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[2856] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[2856] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[2856] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[2856] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7195001E .text C:\Windows\system32\SearchIndexer.exe[2892] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2892] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\system32\SearchIndexer.exe[2892] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[2892] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[2892] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[2892] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Windows\system32\SearchIndexer.exe[2892] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[2892] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[2892] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[2892] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[2892] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[2892] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[2892] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[2892] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[2892] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[2892] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[2892] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3288] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ntdll.dll!LdrGetProcedureAddress + 26 77F222A9 7 Bytes JMP 02DFF140 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 77E2941E 7 Bytes JMP 0341FDD2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] kernel32.dll!QueryPerformanceCounter + 13 77E2C435 7 Bytes JMP 0341FDF5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] kernel32.dll!LoadAppInitDlls + 355 77E2F4F6 7 Bytes JMP 02E02942 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] GDI32.dll!GetViewportOrgEx + 26C 77B6884B 7 Bytes JMP 0341FD53 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3296] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ntdll.dll!NtAlpcSendWaitReceivePort 77F05458 3 Bytes [FF, 25, 1E] .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77F0545C 2 Bytes [7A, 71] {JP 0x73} .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ntdll.dll!NtClose 77F05508 3 Bytes [FF, 25, 1E] .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ntdll.dll!NtClose + 4 77F0550C 2 Bytes [AE, 71] .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ntdll.dll!LdrUnloadDll 77F1C8DE 6 Bytes JMP 71A8000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] kernel32.dll!CreateProcessW 77DE204D 6 Bytes JMP 719F000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] kernel32.dll!CreateProcessA 77DE2082 6 Bytes JMP 719C000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] kernel32.dll!CreateProcessAsUserW 77E159FF 6 Bytes JMP 7193000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] USER32.dll!SetWindowsHookExW 77D1E30C 6 Bytes JMP 7181000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] USER32.dll!SetWinEventHook 77D224DC 6 Bytes JMP 717E000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] USER32.dll!SetWindowsHookExA 77D46D0C 6 Bytes JMP 7184000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] GDI32.dll!DeleteDC 77B66EAA 6 Bytes JMP 7187000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] GDI32.dll!GetPixel 77B6C3D5 6 Bytes JMP 718A000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] GDI32.dll!CreateDCA 77B6CCA9 6 Bytes JMP 7190000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] GDI32.dll!CreateDCW 77B6CF79 6 Bytes JMP 718D000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ADVAPI32.dll!CreateProcessAsUserA 77CA2538 6 Bytes JMP 7199000A .text C:\Users\dawid karol\Downloads\vurycw67.exe[3376] ADVAPI32.dll!CreateProcessWithLogonW 77CA52E9 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3712] ntdll.dll!NtAllocateVirtualMemory 77F05318 5 Bytes JMP 00401200 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3712] ntdll.dll!NtCreateFile 77F05608 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [25CF24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [25CD562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [25CD56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [25CF2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [25CE85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [25CE4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [25CE5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [25CE51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [25CE6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [25CE8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [25CE8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [25CE90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [25CEE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [25CE4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1499 ---- EOF - GMER 2.1 ----