GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-14 17:14:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HM321HI rev.2AJ10001 298,09GB Running: pdtw16jm.exe; Driver: C:\Users\Domowy\AppData\Local\Temp\kwrdrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070450 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070480 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000077070490 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070440 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070460 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070450 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070470 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070480 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000077070490 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070440 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0xffffffff8915e890} .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0xffffffff8915e590} .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0xffffffff8915e090} .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070450 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070480 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000077070490 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070440 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070450 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070480 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000077070490 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070440 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000077070460 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000077070450 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000077070370 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000077070470 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000000770703e0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000077070320 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000000770703b0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000077070390 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000000770702e0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000000770702d0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000077070310 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000000770703c0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000000770703f0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000077070230 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000077070480 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000000770703a0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000000770702f0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000077070350 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000077070290 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000000770702b0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000000770703d0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000077070330 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000077070410 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000077070240 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000000770701e0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000077070250 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000077070490 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000000770704a0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000077070300 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000077070360 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000000770702a0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000000770702c0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000077070380 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000077070340 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000077070440 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000077070260 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000077070270 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000077070400 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000000770701f0 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000077070210 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000077070200 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000077070420 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000077070430 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000077070220 .text C:\Windows\system32\SearchIndexer.exe[2688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000077070280 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076f113c0 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076f11410 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076f11570 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076f115c0 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076f115d0 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076f11680 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f116b0 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076f116d0 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076f11710 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076f11790 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076f117b0 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076f117f0 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076f11840 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076f119a0 1 byte JMP 0000000100070230 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076f119a2 3 bytes {JMP 0xffffffff8915e890} .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f11b60 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076f11b90 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076f11c70 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076f11c80 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076f11ce0 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076f11d70 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f11d90 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076f11da0 1 byte JMP 0000000100070330 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076f11da2 3 bytes {JMP 0xffffffff8915e590} .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076f11e10 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076f11e40 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076f12100 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076f121c0 1 byte JMP 0000000100070250 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076f121c2 3 bytes {JMP 0xffffffff8915e090} .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076f121f0 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076f12200 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076f12230 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076f12240 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076f122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076f122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076f12320 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076f12330 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076f12620 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076f12820 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076f12830 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f12840 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076f12a00 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076f12a10 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076f12a80 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076f12ae0 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076f12af0 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076f12b00 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076f12be0 5 bytes JMP 0000000100070280 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [928:3116] 000007feff14c608 Thread C:\Windows\System32\svchost.exe [928:3324] 000007fef6ad5fd0 Thread C:\Windows\System32\svchost.exe [964:1204] 000007fef9ba59a0 Thread C:\Windows\System32\svchost.exe [964:1588] 000007fefc7c1a70 Thread C:\Windows\System32\svchost.exe [964:1836] 000007fef85d20c0 Thread C:\Windows\System32\svchost.exe [964:1844] 000007fef85d26a8 Thread C:\Windows\System32\svchost.exe [964:1892] 000007fef85a14a0 Thread C:\Windows\System32\svchost.exe [964:2256] 000007fef8f144e0 Thread C:\Windows\System32\svchost.exe [964:2668] 000007feed2a8a4c Thread C:\Windows\System32\svchost.exe [964:2612] 000007fef93888f8 Thread C:\Windows\system32\svchost.exe [1128:1164] 000007fefa02341c Thread C:\Windows\system32\svchost.exe [1128:1176] 000007fefa023a2c Thread C:\Windows\system32\svchost.exe [1128:1180] 000007fefa023768 Thread C:\Windows\system32\svchost.exe [1128:1184] 000007fefa025c20 Thread C:\Windows\system32\svchost.exe [1128:1564] 000007fef933bec4 Thread C:\Windows\system32\svchost.exe [1128:2236] 000007fef8dd5124 Thread C:\Windows\system32\svchost.exe [1128:5064] 000007fef7455170 Thread C:\Windows\system32\svchost.exe [1128:3348] 000007fefa023900 Thread C:\Windows\System32\spoolsv.exe [1324:2396] 000007fef6d210c8 Thread C:\Windows\System32\spoolsv.exe [1324:2400] 000007fef6ce6144 Thread C:\Windows\System32\spoolsv.exe [1324:2404] 000007fef6ad5fd0 Thread C:\Windows\System32\spoolsv.exe [1324:2408] 000007fef6ac3438 Thread C:\Windows\System32\spoolsv.exe [1324:2412] 000007fef6ad63ec Thread C:\Windows\System32\spoolsv.exe [1324:2420] 000007fef76f5e5c Thread C:\Windows\System32\spoolsv.exe [1324:2424] 000007fef6dd5090 Thread C:\Windows\system32\svchost.exe [1356:1928] 000007fef82d2940 Thread C:\Windows\system32\svchost.exe [1356:2472] 000007fef7702888 Thread C:\Windows\system32\svchost.exe [2192:2220] 000007fef76b8470 Thread C:\Windows\system32\svchost.exe [2192:2228] 000007fef76c2418 Thread C:\Windows\system32\svchost.exe [2192:2936] 000007fef5755ec0 Thread C:\Windows\system32\svchost.exe [2192:2784] 000007fef3cbf130 Thread C:\Windows\system32\svchost.exe [2192:1476] 000007fef3cb4734 Thread C:\Windows\system32\svchost.exe [2192:3228] 000007fef3cb4734 Thread C:\Windows\system32\svchost.exe [2192:3160] 000007fef6ad5fd0 Thread C:\Windows\system32\svchost.exe [2192:4080] 000007fef6ad63ec Thread C:\Windows\System32\svchost.exe [2956:1616] 000007fef7c39688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2988:1148] 000007fefb022ab8 Thread C:\Windows\system32\taskhost.exe [2524:1672] 000007fef7061f38 Thread C:\Windows\system32\taskhost.exe [2524:1596] 000007fef7092740 Thread C:\Windows\system32\taskhost.exe [2524:2804] 000007fef5f91010 Thread C:\Windows\System32\svchost.exe [3636:2160] 000007fef7455170 Thread C:\Windows\System32\svchost.exe [3636:4708] 000007fef8dd9874 ---- Processes - GMER 2.1 ---- Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 00000000ff490000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\DismCorePS.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef85e0000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\wdscore.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef4e80000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismprov.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef2b70000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\OSProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef4e40000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\LogProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef3d20000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\CbsProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef1df0000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\MsiProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef24c0000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\IntlProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef1d10000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\DmiProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef0650000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\UnattendProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef1c30000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\SmiProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef0d50000 Library C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\TransmogProvider.dll (*** suspicious ***) @ C:\Windows\TEMP\9DE4EFBE-121D-42C3-AD18-0BE1981E79F3\dismhost.exe [5076] 000007fef05b0000 ---- Files - GMER 2.1 ---- File C:\Windows\winsxs\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.1.7601.18201_none_97c9d703ee91c7f1 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.1.7601.18201_none_97c9d703ee91c7f1\comctl32.dll 633856 bytes executable File C:\Windows\winsxs\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.1.7601.22376_none_980cc5cd07e3aa05 0 bytes File C:\Windows\winsxs\amd64_microsoft-windows-shell-comctl32-v5_31bf3856ad364e35_6.1.7601.22376_none_980cc5cd07e3aa05\comctl32.dll 633856 bytes executable ---- EOF - GMER 2.1 ----