GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-06 20:29:35 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\00000097 ST3320620AS rev.3.AAE 298,09GB Running: kmer.exe; Driver: d:\Temp\pgldapob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xAC4AF72A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xA94A4610] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xAC4B0AC0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xAC4AE9DA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xAC4AF358] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xAC4B0102] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xAC4AF0EA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xAC4B1AC4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xAC4AE384] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xA94A4C10] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xAC4AF91E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xAC4AFB6E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xAC4AE16E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xAC4B0BD6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xAC4B0DEA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xAC4B14CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xAC4AECBE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xAC4B1D96] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xAC4B0994] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xAC4AF550] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xAC4AFFF0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xAC4ADD74] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xAC4AEF72] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xAC4ADF8C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xA94A46D0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xAC4B0F5C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xAC4B1210] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xAC4B108E] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xA94A4790] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xAC4B06E8] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xA94A4690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xA94A4650] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xAC4AFE14] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xAC4B17CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xAC4B0410] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xAC4AEC28] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xA94A4510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xA94A4590] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xAC4AEE5E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xAC4AE7BA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xAC4AE588] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xA94A4750] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D04 805045EC 4 Bytes JMP CFE8F23B .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 4 Bytes JMP E0AC4AF0 .text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504694 4 Bytes [EA, 0D, 4B, AC] .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 4 Bytes CALL BEFC937B .text ntkrnlpa.exe!ZwCallbackReturn + 307D 80504965 11 Bytes [45, 4A, A9, 90, 45, 4A, A9, ...] {INC EBP; DEC EDX; TEST EAX, 0xa94a4590; POP ESI; OUT DX, AL; DEC EDX; LODSB } .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5AD63C0, 0x83E20A, 0xE8000020] .text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xABC53280, 0x7B1C, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA931B300, 0x3AF78, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8418300, 0x1BCE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 4 Bytes [C2, 04, 00, 00] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text d:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[160] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[220] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\HPSIsvc.exe[220] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\HPSIsvc.exe[220] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[220] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[220] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\HPSIsvc.exe[220] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text d:\Program Files\Java\jre7\bin\jqs.exe[308] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text d:\Program Files\Java\jre7\bin\jqs.exe[308] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text d:\Program Files\Java\jre7\bin\jqs.exe[308] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text d:\Program Files\NetLimiter 2 Pro\nlsvc.exe[364] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[440] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[440] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[440] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[440] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[440] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[440] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text D:\Program Files\cfosspeed\cFosSpeed.exe[516] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[680] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[688] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wuauclt.exe[688] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wuauclt.exe[688] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wuauclt.exe[688] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wuauclt.exe[688] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wuauclt.exe[688] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wuauclt.exe[688] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wuauclt.exe[688] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wuauclt.exe[688] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wuauclt.exe[688] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wuauclt.exe[688] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wuauclt.exe[688] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wuauclt.exe[688] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wuauclt.exe[688] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wuauclt.exe[688] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wuauclt.exe[688] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text D:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[696] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 004011F0 D:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text D:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 D:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[840] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\RunDLL32.exe[840] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\RunDLL32.exe[840] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\RunDLL32.exe[840] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\RunDLL32.exe[840] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\RunDLL32.exe[840] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\RunDLL32.exe[840] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\RunDLL32.exe[840] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\RunDLL32.exe[840] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\RunDLL32.exe[840] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\RunDLL32.exe[840] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\RunDLL32.exe[840] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\RunDLL32.exe[840] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\RunDLL32.exe[840] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[840] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\RunDLL32.exe[840] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\csrss.exe[880] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001970 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[880] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\cmdcsr.dll .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[884] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[952] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[952] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[952] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\services.exe[952] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[952] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[952] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[952] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[952] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\services.exe[952] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[952] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[952] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[952] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6F, 71] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6C, 71] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[964] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [90, 71] .text C:\WINDOWS\system32\lsass.exe[964] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[964] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[964] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[964] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7173000A .text C:\WINDOWS\system32\lsass.exe[964] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[964] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[964] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[964] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1200] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1200] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1200] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1200] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1200] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1200] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1200] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1316] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1364] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1364] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1364] rpcss.dll!WhichService 76A64234 8 Bytes [80, 4F, 01, 10, 40, 4D, 01, ...] {OR BYTE [EDI+0x1], 0x10; INC EAX; DEC EBP; ADD [EAX], EDX} .text D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1404] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00403760 D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0044D090 D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1440] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1440] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1440] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1440] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1440] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1440] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1504] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1504] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1504] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1504] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1504] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1504] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1504] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1504] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1504] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1592] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1592] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1680] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1684] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text d:\Program Files\NetLimiter 2 Pro\NLClient.exe[1716] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1796] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[1796] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[1796] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\Explorer.EXE[1796] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\Explorer.EXE[1796] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1796] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1796] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1796] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[1796] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[1796] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1796] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1796] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1796] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1796] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\Explorer.EXE[1796] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[1796] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[1816] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1816] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1816] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1816] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1816] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\spoolsv.exe[1816] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[1816] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1904] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1904] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1904] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1904] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1904] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1904] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1904] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1904] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1904] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1904] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\BlueStacks\HD-UpdaterService.exe[1980] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\spd.exe[2012] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text D:\Program Files\cfosspeed\spd.exe[2012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text D:\Program Files\cfosspeed\spd.exe[2012] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text D:\Program Files\cfosspeed\spd.exe[2012] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text D:\Program Files\cfosspeed\spd.exe[2012] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text D:\Program Files\cfosspeed\spd.exe[2012] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text D:\Program Files\cfosspeed\spd.exe[2012] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text D:\Program Files\cfosspeed\spd.exe[2012] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text D:\Program Files\cfosspeed\spd.exe[2012] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text D:\Program Files\cfosspeed\spd.exe[2012] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text D:\Program Files\cfosspeed\spd.exe[2012] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text D:\Program Files\cfosspeed\spd.exe[2012] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text D:\Program Files\cfosspeed\spd.exe[2012] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text D:\Program Files\cfosspeed\spd.exe[2012] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text D:\Program Files\cfosspeed\spd.exe[2012] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text D:\Program Files\cfosspeed\spd.exe[2012] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text D:\Program Files\cfosspeed\spd.exe[2012] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text D:\Program Files\cfosspeed\spd.exe[2012] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6C, 71] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [69, 71] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\alg.exe[2312] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\alg.exe[2312] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7173000A .text C:\WINDOWS\System32\alg.exe[2312] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7176000A .text C:\WINDOWS\System32\alg.exe[2312] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7170000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[2312] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2312] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [8D, 71] .text C:\WINDOWS\System32\alg.exe[2312] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7175000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2320] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7187000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [72, 71] {JB 0x73} .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6F, 71] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A5, 71] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719D000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719A000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] advapi32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7191000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] advapi32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7197000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] advapi32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] advapi32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [93, 71] .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717F000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7182000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7185000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718B000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7188000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7179000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717C000A .text D:\Program Files\TC UP\TOTALCMD.EXE[2768] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7176000A .text c:\kmer.exe[3048] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text c:\kmer.exe[3048] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text c:\kmer.exe[3048] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text c:\kmer.exe[3048] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text c:\kmer.exe[3048] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text c:\kmer.exe[3048] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text c:\kmer.exe[3048] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text c:\kmer.exe[3048] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text c:\kmer.exe[3048] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text c:\kmer.exe[3048] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text c:\kmer.exe[3048] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text c:\kmer.exe[3048] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text c:\kmer.exe[3048] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text c:\kmer.exe[3048] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text c:\kmer.exe[3048] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text c:\kmer.exe[3048] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text c:\kmer.exe[3048] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text c:\kmer.exe[3048] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text c:\kmer.exe[3048] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text c:\kmer.exe[3048] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text c:\kmer.exe[3048] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text c:\kmer.exe[3048] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text c:\kmer.exe[3048] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text c:\kmer.exe[3048] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text c:\kmer.exe[3048] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text D:\Program Files\COMODO\COMODO Internet Security\cis.exe[3596] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00414FE0 D:\Program Files\COMODO\COMODO Internet Security\cis.exe ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys Device \Driver\nvata \Device\0000009b sfsync02.sys AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sfsync02.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys Device \Driver\nvata \Device\00000097 sfsync02.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys Device \Driver\nvata \Device\00000098 sfsync02.sys Device \Driver\nvata \Device\NvAta0 sfsync02.sys Device \Driver\nvata \Device\NvAta1 sfsync02.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{4410848A-1B13-42F7-B61E-9511C2271458}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{7405B420-7DDF-45F7-BDBB-59C44580C1B8}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{9290C88D-684C-4F73-8F7E-A293C11A99B6}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{975C5638-252F-4FA6-941E-811344657A5D}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{A3D61EF5-7958-4D1F-8815-FFAED72E61DC}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x3B 0x02 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF1 0x48 0x5A 0xA0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x68 0xCF 0x37 0x93 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x3B 0x02 0x14 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF1 0x48 0x5A 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC4 0xD6 0x6F 0xAF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 d:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x30 0x94 0xA3 0x34 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA6 0xAE 0x57 0x44 ... Reg HKLM\SYSTEM\ControlSet004\Control\Video\{4410848A-1B13-42F7-B61E-9511C2271458}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{7405B420-7DDF-45F7-BDBB-59C44580C1B8}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{9290C88D-684C-4F73-8F7E-A293C11A99B6}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{975C5638-252F-4FA6-941E-811344657A5D}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{A3D61EF5-7958-4D1F-8815-FFAED72E61DC}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x3B 0x02 0x14 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 2 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF1 0x48 0x5A 0xA0 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x68 0xCF 0x37 0x93 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Classes\CLSID\{00f3192f-d2dd-440e-9101-abb5a49a698a}@Model 339 Reg HKLM\SOFTWARE\Classes\CLSID\{00f3192f-d2dd-440e-9101-abb5a49a698a}@Therad 14 Reg HKLM\SOFTWARE\Classes\CLSID\{00f3192f-d2dd-440e-9101-abb5a49a698a}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xEC 0x6B 0x87 0xF6 ... ---- EOF - GMER 2.1 ----