GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-19 22:33:27 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ESBO 232,89GB Running: bme375pr.exe; Driver: C:\Users\GRAKA~1\AppData\Local\Temp\awrdrpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8A64A438] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8A64A844] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcCreatePort [0x8A64A7F2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8A64967E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEvent [0x8A648754] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEventPair [0x8A6487AC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8A64A066] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateMutant [0x8A6486FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreatePort [0x8A6486A6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8A649D82] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0x8A6487FE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8A64B404] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8A649028] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8A64AA8E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8A64AE0A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8A649956] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8A64A25E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8A649C0A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0x8A64A62C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8A64B10A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8A6498CC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8A649AF6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8A64945E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8A64922C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1495 81E589E5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E92312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 81E9955C 4 Bytes [38, A4, 64, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 81E99584 8 Bytes [44, A8, 64, 8A, F2, A7, 64, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 81E99618 4 Bytes [7E, 96, 64, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 81E9962C 12 Bytes [54, 87, 64, 8A, AC, 87, 64, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 81E99654 4 Bytes [FE, 86, 64, 8A] .text ... ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[460] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 5 Bytes JMP 755F2200 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[460] ntdll.dll!NtReplyWaitReceivePort 77656458 5 Bytes JMP 755F18F0 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[460] ntdll.dll!NtReplyWaitReceivePortEx 77656468 5 Bytes JMP 755F1D70 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[512] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 5 Bytes JMP 755F2200 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[512] ntdll.dll!NtReplyWaitReceivePort 77656458 5 Bytes JMP 755F18F0 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\csrss.exe[512] ntdll.dll!NtReplyWaitReceivePortEx 77656468 5 Bytes JMP 755F1D70 C:\Windows\system32\cmdcsr.dll .text C:\windows\system32\services.exe[612] services.exe 00A01608 4 Bytes [90, 46, 42, 75] .text C:\windows\system32\services.exe[612] services.exe 00A01618 4 Bytes [70, 4A, 42, 75] .text C:\windows\system32\services.exe[612] services.exe 00A01638 4 Bytes [F0, 43, 42, 75] .text C:\windows\system32\services.exe[612] services.exe 00A01648 4 Bytes [90, 48, 42, 75] .text C:\windows\system32\services.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\services.exe[612] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [80, 71] .text C:\windows\system32\services.exe[612] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\services.exe[612] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\services.exe[612] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\services.exe[612] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\services.exe[612] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\services.exe[612] RPCRT4.dll!RpcServerRegisterIfEx 772F0898 6 Bytes JMP 719C000A .text C:\windows\system32\services.exe[612] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 7187000A .text C:\windows\system32\services.exe[612] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7184000A .text C:\windows\system32\services.exe[612] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718A000A .text C:\windows\system32\services.exe[612] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7190000A .text C:\windows\system32\services.exe[612] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7193000A .text C:\windows\system32\services.exe[612] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 7199000A .text C:\windows\system32\services.exe[612] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7196000A .text C:\windows\system32\lsass.exe[620] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsass.exe[620] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\lsass.exe[620] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsass.exe[620] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\lsass.exe[620] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\lsass.exe[620] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsass.exe[620] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\lsass.exe[620] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\lsass.exe[620] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\lsass.exe[620] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\lsass.exe[620] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\lsass.exe[620] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\lsass.exe[620] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\lsass.exe[620] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\lsm.exe[632] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsm.exe[632] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\lsm.exe[632] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsm.exe[632] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\lsm.exe[632] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\lsm.exe[632] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\lsm.exe[632] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\lsm.exe[632] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\lsm.exe[632] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\lsm.exe[632] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\lsm.exe[632] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\lsm.exe[632] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\lsm.exe[632] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\lsm.exe[632] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[736] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[736] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [83, 71] .text C:\windows\system32\svchost.exe[736] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[736] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[736] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[736] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[736] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[736] RPCRT4.dll!RpcServerRegisterIfEx 772F0898 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[736] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[736] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[736] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[736] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[736] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[736] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[736] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[816] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[816] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [83, 71] .text C:\windows\system32\svchost.exe[816] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[816] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[816] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[816] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[816] RPCRT4.dll!RpcServerRegisterIfEx 772F0898 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[816] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[816] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[816] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[816] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[816] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[816] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[816] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[816] rpcss.dll!CoGetComCatalog 74A935EC 8 Bytes [D0, 3B, 42, 75, 90, 39, 42, ...] {SAR BYTE [EBX], 0x1; INC EDX; JNZ 0xffffff95; CMP [EDX+0x75], EAX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[880] ntdll.dll!NtAllocateVirtualMemory 77655318 5 Bytes JMP 012E3580 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[880] ntdll.dll!NtCreateFile 77655608 5 Bytes JMP 01382820 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\windows\system32\svchost.exe[972] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[972] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\svchost.exe[972] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[972] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[972] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[972] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[972] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[972] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[972] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[972] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[972] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[972] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[972] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\System32\svchost.exe[1016] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1016] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\System32\svchost.exe[1016] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1016] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\System32\svchost.exe[1016] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\svchost.exe[1016] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1016] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\System32\svchost.exe[1016] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\System32\svchost.exe[1016] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\System32\svchost.exe[1016] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\System32\svchost.exe[1016] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\System32\svchost.exe[1016] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\System32\svchost.exe[1016] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\System32\svchost.exe[1016] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\System32\svchost.exe[1052] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1052] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\System32\svchost.exe[1052] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1052] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\System32\svchost.exe[1052] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\svchost.exe[1052] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1052] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\System32\svchost.exe[1052] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\System32\svchost.exe[1052] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\System32\svchost.exe[1052] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\System32\svchost.exe[1052] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\System32\svchost.exe[1052] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\System32\svchost.exe[1052] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\System32\svchost.exe[1052] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\svchost.exe[1092] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1092] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[1092] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[1092] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[1092] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[1092] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[1092] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[1092] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1128] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1128] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [83, 71] .text C:\windows\system32\svchost.exe[1128] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1128] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[1128] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[1128] RPCRT4.dll!RpcServerRegisterIfEx 772F0898 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[1128] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[1128] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[1128] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[1128] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[1128] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[1128] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7196000A .text C:\windows\system32\Dwm.exe[1464] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\Dwm.exe[1464] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\Dwm.exe[1464] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\Dwm.exe[1464] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\Dwm.exe[1464] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\Dwm.exe[1464] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\Dwm.exe[1464] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\Dwm.exe[1464] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\Dwm.exe[1464] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\Dwm.exe[1464] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\Dwm.exe[1464] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\Dwm.exe[1464] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\Dwm.exe[1464] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\Dwm.exe[1464] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\Explorer.EXE[1480] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\Explorer.EXE[1480] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [83, 71] .text C:\windows\Explorer.EXE[1480] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\Explorer.EXE[1480] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\Explorer.EXE[1480] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\Explorer.EXE[1480] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\Explorer.EXE[1480] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\Explorer.EXE[1480] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\Explorer.EXE[1480] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\Explorer.EXE[1480] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\Explorer.EXE[1480] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\Explorer.EXE[1480] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718A000A .text C:\windows\Explorer.EXE[1480] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7187000A .text C:\windows\Explorer.EXE[1480] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718D000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [80, 71] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 7187000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7184000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718A000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 718D000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Elantech\ETDCtrlHelper.exe[1508] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[1592] ntdll.dll!NtAllocateVirtualMemory 77655318 5 Bytes JMP 008D2D90 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\windows\System32\svchost.exe[1604] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1604] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\System32\svchost.exe[1604] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1604] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\System32\svchost.exe[1604] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\svchost.exe[1604] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\System32\svchost.exe[1604] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\System32\svchost.exe[1604] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\System32\svchost.exe[1604] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\System32\svchost.exe[1604] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\System32\svchost.exe[1604] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\System32\svchost.exe[1604] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\System32\svchost.exe[1604] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\System32\svchost.exe[1604] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Users\Gra¿ka\Downloads\bme375pr.exe[1616] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxtray.exe[1640] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[1640] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Windows\System32\igfxtray.exe[1640] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[1640] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Windows\System32\igfxtray.exe[1640] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\igfxtray.exe[1640] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxtray.exe[1640] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Windows\System32\igfxtray.exe[1640] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\igfxtray.exe[1640] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Windows\System32\igfxtray.exe[1640] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\igfxtray.exe[1640] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\igfxtray.exe[1640] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\igfxtray.exe[1640] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxtray.exe[1640] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Windows\System32\hkcmd.exe[1664] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\hkcmd.exe[1664] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\hkcmd.exe[1664] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Windows\System32\hkcmd.exe[1664] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Windows\System32\hkcmd.exe[1664] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\hkcmd.exe[1664] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\hkcmd.exe[1664] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\hkcmd.exe[1664] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxpers.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Windows\System32\igfxpers.exe[1676] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[1676] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Windows\System32\igfxpers.exe[1676] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Windows\System32\igfxpers.exe[1676] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\igfxpers.exe[1676] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Windows\System32\igfxpers.exe[1676] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Windows\System32\igfxpers.exe[1676] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Windows\System32\igfxpers.exe[1676] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Windows\System32\igfxpers.exe[1676] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Windows\System32\igfxpers.exe[1676] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Windows\System32\igfxpers.exe[1676] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Windows\System32\igfxpers.exe[1676] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\System32\spoolsv.exe[1684] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\System32\spoolsv.exe[1684] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\System32\spoolsv.exe[1684] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\System32\spoolsv.exe[1684] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\System32\spoolsv.exe[1684] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\System32\spoolsv.exe[1684] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\System32\spoolsv.exe[1684] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\System32\spoolsv.exe[1684] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\System32\spoolsv.exe[1684] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\System32\spoolsv.exe[1684] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\System32\spoolsv.exe[1684] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\System32\spoolsv.exe[1684] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\System32\spoolsv.exe[1684] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\System32\spoolsv.exe[1684] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [80, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 718D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 7187000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7184000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[1696] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718A000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Elantech\ETDCtrl.exe[1712] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Program Files\Elantech\ETDCtrl.exe[1712] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Elantech\ETDCtrl.exe[1712] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Elantech\ETDCtrl.exe[1712] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Elantech\ETDCtrl.exe[1712] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Elantech\ETDCtrl.exe[1712] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Elantech\ETDCtrl.exe[1712] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [80, 71] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 7187000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7184000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718A000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 718D000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe[1772] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\taskhost.exe[1792] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskhost.exe[1792] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\taskhost.exe[1792] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskhost.exe[1792] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\taskhost.exe[1792] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\taskhost.exe[1792] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\taskhost.exe[1792] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\taskhost.exe[1792] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\taskhost.exe[1792] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\taskhost.exe[1792] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\taskhost.exe[1792] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\taskhost.exe[1792] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\taskhost.exe[1792] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\taskhost.exe[1792] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\igfxsrvc.exe[1844] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\igfxsrvc.exe[1844] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\igfxsrvc.exe[1844] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\igfxsrvc.exe[1844] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\igfxsrvc.exe[1844] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\igfxsrvc.exe[1844] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\igfxsrvc.exe[1844] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\igfxsrvc.exe[1844] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\igfxsrvc.exe[1844] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\igfxsrvc.exe[1844] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\igfxsrvc.exe[1844] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\igfxsrvc.exe[1844] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\igfxsrvc.exe[1844] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\igfxsrvc.exe[1844] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\DllHost.exe[2016] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\DllHost.exe[2016] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\DllHost.exe[2016] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\DllHost.exe[2016] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\DllHost.exe[2016] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\DllHost.exe[2016] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\DllHost.exe[2016] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\DllHost.exe[2016] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\DllHost.exe[2016] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\DllHost.exe[2016] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\DllHost.exe[2016] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\DllHost.exe[2016] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\DllHost.exe[2016] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\DllHost.exe[2016] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [83, 71] .text C:\windows\system32\svchost.exe[2024] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2024] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2024] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2024] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2024] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[2024] RPCRT4.dll!RpcServerRegisterIfEx 772F0898 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2024] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2024] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 7187000A .text C:\windows\system32\svchost.exe[2024] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2024] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2024] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2024] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2024] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7196000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\AdTrustMedia\PrivDog\3.0.97.0\PrivDogService.exe[2100] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2184] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\wmiprvse.exe[2508] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\wbem\wmiprvse.exe[2508] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\wmiprvse.exe[2508] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\wbem\wmiprvse.exe[2508] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\wmiprvse.exe[2508] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\wbem\wmiprvse.exe[2508] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\wbem\wmiprvse.exe[2508] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2520] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\SearchIndexer.exe[2544] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\SearchIndexer.exe[2544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\SearchIndexer.exe[2544] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\SearchIndexer.exe[2544] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\SearchIndexer.exe[2544] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\SearchIndexer.exe[2544] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\SearchIndexer.exe[2544] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\SearchIndexer.exe[2544] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\SearchIndexer.exe[2544] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\SearchIndexer.exe[2544] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\SearchIndexer.exe[2544] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\SearchIndexer.exe[2544] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\SearchIndexer.exe[2544] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\SearchIndexer.exe[2544] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2644] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2644] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\svchost.exe[2644] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2644] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2644] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2644] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2644] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[2644] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2644] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2644] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2644] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2644] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[2644] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2644] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\svchost.exe[2748] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2748] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\svchost.exe[2748] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2748] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\svchost.exe[2748] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\svchost.exe[2748] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\svchost.exe[2748] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\svchost.exe[2748] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\svchost.exe[2748] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\svchost.exe[2748] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\svchost.exe[2748] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\svchost.exe[2748] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\svchost.exe[2748] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\svchost.exe[2748] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\wbem\unsecapp.exe[3180] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\unsecapp.exe[3180] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\wbem\unsecapp.exe[3180] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\unsecapp.exe[3180] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\wbem\unsecapp.exe[3180] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\wbem\unsecapp.exe[3180] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\unsecapp.exe[3180] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\wbem\unsecapp.exe[3180] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\wbem\unsecapp.exe[3180] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\wbem\unsecapp.exe[3180] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\wbem\unsecapp.exe[3180] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\wbem\unsecapp.exe[3180] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\wbem\unsecapp.exe[3180] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\wbem\unsecapp.exe[3180] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\wmiprvse.exe[3284] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\wbem\wmiprvse.exe[3284] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\wmiprvse.exe[3284] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\wbem\wmiprvse.exe[3284] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\wbem\wmiprvse.exe[3284] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\wbem\wmiprvse.exe[3284] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\wbem\wmiprvse.exe[3284] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtCreateFile 77655608 5 Bytes JMP 667B9AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtFlushBuffersFile 77655998 5 Bytes JMP 6679C434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtQueryFullAttributesFile 77656028 5 Bytes JMP 6679C150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtReadFile 776562F8 5 Bytes JMP 6679C330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtReadFileScatter 77656308 5 Bytes JMP 671BF60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtWriteFile 77656AA8 5 Bytes JMP 667BA9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!NtWriteFileGather 77656AB8 5 Bytes JMP 671BF5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] ntdll.dll!LdrLoadDll 776722AE 5 Bytes JMP 72611F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 762594E6 7 Bytes JMP 670E4AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] kernel32.dll!QueryPerformanceCounter + 13 7625C4E5 7 Bytes JMP 670E4AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] kernel32.dll!LoadAppInitDlls + 355 7625F5A6 7 Bytes JMP 667B63D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] USER32.dll!GetWindowInfo 77554B5E 5 Bytes JMP 66FDB991 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] GDI32.dll!GetViewportOrgEx + 26C 7776884B 7 Bytes JMP 670E4A21 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3552] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\notepad.exe[4004] ntdll.dll!NtAlpcSendWaitReceivePort 77655458 3 Bytes [FF, 25, 1E] .text C:\windows\system32\notepad.exe[4004] ntdll.dll!NtAlpcSendWaitReceivePort + 4 7765545C 2 Bytes [86, 71] .text C:\windows\system32\notepad.exe[4004] ntdll.dll!NtClose 77655508 3 Bytes [FF, 25, 1E] .text C:\windows\system32\notepad.exe[4004] ntdll.dll!NtClose + 4 7765550C 2 Bytes [AE, 71] .text C:\windows\system32\notepad.exe[4004] ntdll.dll!LdrUnloadDll 7766C8DE 6 Bytes JMP 71A8000A .text C:\windows\system32\notepad.exe[4004] kernel32.dll!CreateProcessInternalW 76260852 3 Bytes [FF, 25, 1E] .text C:\windows\system32\notepad.exe[4004] kernel32.dll!CreateProcessInternalW + 4 76260856 2 Bytes [9E, 71] .text C:\windows\system32\notepad.exe[4004] GDI32.dll!DeleteDC 77766EAA 6 Bytes JMP 7193000A .text C:\windows\system32\notepad.exe[4004] GDI32.dll!GetPixel 7776C3D5 6 Bytes JMP 7196000A .text C:\windows\system32\notepad.exe[4004] GDI32.dll!CreateDCA 7776CCA9 6 Bytes JMP 719C000A .text C:\windows\system32\notepad.exe[4004] GDI32.dll!CreateDCW 7776CF79 6 Bytes JMP 7199000A .text C:\windows\system32\notepad.exe[4004] USER32.dll!SetWindowsHookExW 7754E30C 6 Bytes JMP 718D000A .text C:\windows\system32\notepad.exe[4004] USER32.dll!SetWinEventHook 775524DC 6 Bytes JMP 718A000A .text C:\windows\system32\notepad.exe[4004] USER32.dll!SetWindowsHookExA 77576D0C 6 Bytes JMP 7190000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4068] ntdll.dll!NtAllocateVirtualMemory 77655318 5 Bytes JMP 001C1210 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[4068] ntdll.dll!NtCreateFile 77655608 5 Bytes JMP 001C1000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dbb854f Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{CC4C7337-A663-40FF-9BA7-F156E00B098C}@LeaseObtainedTime 1424377494 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{CC4C7337-A663-40FF-9BA7-F156E00B098C}@T1 1424420694 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{CC4C7337-A663-40FF-9BA7-F156E00B098C}@T2 1424453094 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{CC4C7337-A663-40FF-9BA7-F156E00B098C}@LeaseTerminatesTime 1424463894 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dbb854f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{30102086-5A45-11E4-8BB6-806E6F6E6963} 529497960 ---- EOF - GMER 2.1 ----