GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-08 19:37:11 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP0812N rev.TK100-30 74,56GB Running: v09e77e2.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwriykog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB125F4D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xB126085A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB125E786] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB125F104] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xB125FE9E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xB125EE96] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB126185E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xB125E130] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xB125F6CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xB125F928] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xB125DF1A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB1260970] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB1260B84] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB1261264] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB125EA6A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xB1261B30] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xB126072E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB125F2FC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB125FD8C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xB125DB20] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB125ED1E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xB125DD38] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB1260CF6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB1260FAA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xB1260E28] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB1260484] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xB125FBB0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB1261564] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xB12601C0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB125E9D4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xB125EC0A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xB125E566] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB125E334] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 1F0 804E284C 4 Bytes [6A, EA, 25, B1] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9991000, 0x1C5D38, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[188] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [72, 71] {JB 0x73} .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6F, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A2, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 6C, 00] {ROL BYTE [ESI+0x6c], 0x0} .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 6C, 00] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718E000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7194000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [90, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7182000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7188000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7185000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe[304] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Java\jre7\bin\jqs.exe[600] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7190000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7196000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [92, 71] .text C:\Program Files\Java\jre7\bin\jqs.exe[600] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7184000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718A000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7187000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Java\jre7\bin\jqs.exe[600] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[632] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\srvany.exe[632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\srvany.exe[632] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\srvany.exe[632] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\srvany.exe[632] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\srvany.exe[632] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\srvany.exe[632] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\srvany.exe[632] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\srvany.exe[632] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\srvany.exe[632] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\srvany.exe[632] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\srvany.exe[632] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\srvany.exe[632] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\srvany.exe[632] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\srvany.exe[632] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\srvany.exe[632] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[632] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\csrss.exe[736] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 5 Bytes JMP 100015D0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[736] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 5 Bytes JMP 10001A50 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\winlogon.exe[772] ntdll.dll!NtLockProductActivationKeys 7C90D490 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[772] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[816] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[816] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[816] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[816] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\services.exe[816] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[816] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[816] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[816] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[816] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[816] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[816] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[816] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6F, 71] .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[828] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[828] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[828] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[828] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\lsass.exe[828] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[828] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[828] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[828] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[828] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [90, 71] .text C:\WINDOWS\system32\lsass.exe[828] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[828] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[828] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[828] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[828] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[828] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[828] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[980] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[980] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\Ati2evxx.exe[980] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\Ati2evxx.exe[980] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[980] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[980] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1000] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1000] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1000] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1000] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1000] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1000] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1000] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1068] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1068] rpcss.dll!WhichService 76A63C84 8 Bytes [20, 30, 01, 10, E0, 2D, 01, ...] {AND [EAX], DH; ADD [EAX], EDX; LOOPNZ 0x33; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1160] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 00401EF0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1160] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 004452C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1208] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1208] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1208] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1208] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1208] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svchost.exe[1240] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svchost.exe[1240] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\System32\svchost.exe[1240] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\System32\svchost.exe[1240] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\System32\svchost.exe[1240] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\System32\svchost.exe[1240] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svchost.exe[1240] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svchost.exe[1240] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1240] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\svchost.exe[1240] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\System32\svchost.exe[1240] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[1240] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svchost.exe[1240] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svchost.exe[1240] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[1316] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1468] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1468] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1468] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1468] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1548] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1620] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1620] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1620] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1620] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1620] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1620] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1724] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1724] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1724] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1724] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1724] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1724] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1724] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1724] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1724] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1724] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text D:\czyszczenie\v09e77e2.exe[1780] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text D:\czyszczenie\v09e77e2.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\czyszczenie\v09e77e2.exe[1780] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\czyszczenie\v09e77e2.exe[1780] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\czyszczenie\v09e77e2.exe[1780] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text D:\czyszczenie\v09e77e2.exe[1780] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text D:\czyszczenie\v09e77e2.exe[1780] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text D:\czyszczenie\v09e77e2.exe[1780] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\czyszczenie\v09e77e2.exe[1780] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text D:\czyszczenie\v09e77e2.exe[1780] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text D:\czyszczenie\v09e77e2.exe[1780] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text D:\czyszczenie\v09e77e2.exe[1780] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text D:\czyszczenie\v09e77e2.exe[1780] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text D:\czyszczenie\v09e77e2.exe[1780] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text D:\czyszczenie\v09e77e2.exe[1780] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text D:\czyszczenie\v09e77e2.exe[1780] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text D:\czyszczenie\v09e77e2.exe[1780] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[1836] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1836] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1836] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1836] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[1836] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[1884] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\SOUNDMAN.EXE[1884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\SOUNDMAN.EXE[1884] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\SOUNDMAN.EXE[1884] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[1884] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1948] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[1948] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[1948] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\system32\spoolsv.exe[1948] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[1948] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1948] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1948] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1948] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1948] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1948] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1948] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1948] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1948] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[1948] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1948] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2032] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[2032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[2032] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ctfmon.exe[2032] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ctfmon.exe[2032] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[2032] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[2032] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2032] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[2032] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\ctfmon.exe[2032] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[2032] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[2032] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[2032] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [72, 71] {JB 0x73} .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6F, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A2, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718E000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7194000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [90, 71] .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7182000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7188000A .text C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe[2528] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [6F, 71] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6C, 71] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3216] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[3216] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[3216] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\alg.exe[3216] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\alg.exe[3216] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7176000A .text C:\WINDOWS\System32\alg.exe[3216] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7179000A .text C:\WINDOWS\System32\alg.exe[3216] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7173000A .text C:\WINDOWS\System32\alg.exe[3216] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[3216] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[3216] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[3216] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[3216] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\WINDOWS\System32\alg.exe[3216] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\WINDOWS\System32\alg.exe[3216] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[3216] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[3216] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3216] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [8D, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3540] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 00401200 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3540] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0190DFF0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 02099796 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 02099773 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 01915F1A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 020996F4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [C0, 46, 01, 10] {ROL BYTE [ESI+0x1], 0x10} .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [50, 47, 01, 10] {PUSH EAX; INC EDI; ADD [EAX], EDX} .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[6064] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE6 0x61 0xFA 0x7D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE6 0x61 0xFA 0x7D ... ---- EOF - GMER 2.1 ----