GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-01-15 14:20:22 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HJ rev.1AJ10001 465,76GB Running: dvj81b4o.exe; Driver: C:\Users\LADYCS~1\AppData\Local\Temp\ugldqpog.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x89748580] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8974898C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcCreatePort [0x8974893A] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x897477C6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEvent [0x8974689C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEventPair [0x897468F4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x897481AE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateMutant [0x89746846] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreatePort [0x897467EE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x89747ECA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0x89746946] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8974981E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x89747170] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x89748BD6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x89749224] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x89747A9E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x897483A6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x89747D52] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0x89748774] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x89749524] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x89747A14] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x89747C3E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x897475A6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x89747374] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13F9 83080829 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830A5132 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 230 830AC910 4 Bytes [80, 85, 74, 89] .text ntkrnlpa.exe!RtlSidHashLookup + 258 830AC938 8 Bytes [8C, 89, 74, 89, 3A, 89, 74, ...] {MOV [ECX-0x76c5768c], CS; JZ 0xffffff91} .text ntkrnlpa.exe!RtlSidHashLookup + 2EC 830AC9CC 4 Bytes [C6, 77, 74, 89] .text ntkrnlpa.exe!RtlSidHashLookup + 300 830AC9E0 12 Bytes [9C, 68, 74, 89, F4, 68, 74, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 328 830ACA08 4 Bytes [46, 68, 74, 89] .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88F5F774] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90426000, 0x3DBA20, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[416] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 5 Bytes JMP 75642200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[416] ntdll.dll!NtReplyWaitReceivePort 774E5500 5 Bytes JMP 756418F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[416] ntdll.dll!NtReplyWaitReceivePortEx 774E5510 5 Bytes JMP 75641D70 C:\Windows\system32\cmdcsr.dll .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [68, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717B000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7184000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 7187000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7181000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 717E000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718A000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 716F000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 716C000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7172000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 7175000A .text C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe[436] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7178000A .text C:\Windows\system32\csrss.exe[508] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 5 Bytes JMP 75642200 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[508] ntdll.dll!NtReplyWaitReceivePort 774E5500 5 Bytes JMP 756418F0 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\csrss.exe[508] ntdll.dll!NtReplyWaitReceivePortEx 774E5510 5 Bytes JMP 75641D70 C:\Windows\system32\cmdcsr.dll .text C:\Windows\system32\services.exe[552] services.exe 00AB1608 4 Bytes [30, D9, 45, 75] .text C:\Windows\system32\services.exe[552] services.exe 00AB1618 4 Bytes [10, DD, 45, 75] .text C:\Windows\system32\services.exe[552] services.exe 00AB1638 4 Bytes [90, D6, 45, 75] .text C:\Windows\system32\services.exe[552] services.exe 00AB1648 4 Bytes [30, DB, 45, 75] .text C:\Windows\system32\services.exe[552] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[552] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\services.exe[552] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[552] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\services.exe[552] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\services.exe[552] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717E000A .text C:\Windows\system32\services.exe[552] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7187000A .text C:\Windows\system32\services.exe[552] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\services.exe[552] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\services.exe[552] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718A000A .text C:\Windows\system32\services.exe[552] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7184000A .text C:\Windows\system32\services.exe[552] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7181000A .text C:\Windows\system32\services.exe[552] RPCRT4.dll!RpcServerRegisterIfEx 77412640 6 Bytes JMP 7199000A .text C:\Windows\system32\services.exe[552] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7178000A .text C:\Windows\system32\services.exe[552] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7175000A .text C:\Windows\system32\services.exe[552] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717B000A .text C:\Windows\system32\services.exe[552] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718D000A .text C:\Windows\system32\services.exe[552] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7196000A .text C:\Windows\system32\services.exe[552] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7193000A .text C:\Windows\system32\services.exe[552] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7190000A .text C:\Windows\system32\services.exe[552] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\lsass.exe[568] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[568] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\lsass.exe[568] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[568] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsass.exe[568] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\lsass.exe[568] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\lsass.exe[568] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsass.exe[568] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\lsass.exe[568] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\lsass.exe[568] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\lsass.exe[568] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\lsass.exe[568] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\lsass.exe[568] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\lsass.exe[568] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\lsass.exe[568] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\lsass.exe[568] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\lsm.exe[576] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[576] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\lsm.exe[576] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[576] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\lsm.exe[576] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\lsm.exe[576] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\lsm.exe[576] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\lsm.exe[576] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\lsm.exe[576] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\lsm.exe[576] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\lsm.exe[576] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\lsm.exe[576] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\lsm.exe[576] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\lsm.exe[576] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\lsm.exe[576] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\lsm.exe[576] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\lsm.exe[576] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\lsm.exe[576] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\lsm.exe[576] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[756] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[756] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[756] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[756] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[756] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[756] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[756] RPCRT4.dll!RpcServerRegisterIfEx 77412640 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[756] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[756] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[756] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[756] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[756] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[756] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[756] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[756] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[816] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[852] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[852] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[852] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[852] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[852] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[852] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[852] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[852] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[852] RPCRT4.dll!RpcServerRegisterIfEx 77412640 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[852] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[852] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[852] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[852] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[852] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[852] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[852] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[852] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[852] rpcss.dll!CoGetComCatalog 74983A14 8 Bytes [70, CE, 45, 75, 30, CC, 45, ...] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtAllocateVirtualMemory 774E43C0 5 Bytes JMP 0116E930 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtCreateFile 774E46B0 5 Bytes JMP 0121A7A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!NtOpenFile 774E4DC0 5 Bytes JMP 0121A6B0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[948] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1012] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1012] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1012] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1012] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1012] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1012] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1012] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1012] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1012] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1012] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Windows\system32\atiesrxx.exe[1056] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atiesrxx.exe[1056] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\atiesrxx.exe[1056] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atiesrxx.exe[1056] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\atiesrxx.exe[1056] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\atiesrxx.exe[1056] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\atiesrxx.exe[1056] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\atiesrxx.exe[1056] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\atiesrxx.exe[1056] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\atiesrxx.exe[1056] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\atiesrxx.exe[1056] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\atiesrxx.exe[1056] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\atiesrxx.exe[1056] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\atiesrxx.exe[1056] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1092] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1092] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1092] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1092] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716A000A .text C:\Windows\System32\svchost.exe[1092] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[1124] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[1124] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[1124] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[1124] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[1124] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[1124] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[1124] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[1124] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Windows\System32\svchost.exe[1124] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1160] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1160] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1160] RPCRT4.dll!RpcServerRegisterIfEx 77412640 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1160] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1160] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[1160] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1160] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1160] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1160] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1160] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1160] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1160] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 715F000A .text C:\Windows\system32\svchost.exe[1160] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 716F000A .text C:\Windows\system32\AUDIODG.EXE[1228] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1228] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\AUDIODG.EXE[1228] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1228] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\AUDIODG.EXE[1228] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A7001E .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7180001E .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7189001E .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718C001E .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7186001E .text C:\Windows\system32\AUDIODG.EXE[1228] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7183001E .text C:\Windows\system32\AUDIODG.EXE[1228] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717A001E .text C:\Windows\system32\AUDIODG.EXE[1228] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7177001E .text C:\Windows\system32\AUDIODG.EXE[1228] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717D001E .text C:\Windows\system32\AUDIODG.EXE[1228] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718F001E .text C:\Windows\system32\AUDIODG.EXE[1228] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7198001E .text C:\Windows\system32\AUDIODG.EXE[1228] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7195001E .text C:\Windows\system32\AUDIODG.EXE[1228] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7192001E .text C:\Windows\system32\AUDIODG.EXE[1228] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719B001E .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1296] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1296] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1296] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1296] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1296] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1296] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\atieclxx.exe[1368] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atieclxx.exe[1368] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\atieclxx.exe[1368] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atieclxx.exe[1368] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\atieclxx.exe[1368] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\atieclxx.exe[1368] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\atieclxx.exe[1368] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\atieclxx.exe[1368] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\atieclxx.exe[1368] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\atieclxx.exe[1368] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\atieclxx.exe[1368] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\atieclxx.exe[1368] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\atieclxx.exe[1368] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\atieclxx.exe[1368] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\atieclxx.exe[1368] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Windows\system32\atieclxx.exe[1368] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [68, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717B000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7184000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 7187000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7181000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 717E000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718A000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 716F000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 716C000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7172000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] shell32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 7175000A .text C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[1428] shell32.dll!SHFileOperation 761EE019 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchIndexer.exe[1436] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1436] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\SearchIndexer.exe[1436] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1436] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\SearchIndexer.exe[1436] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchIndexer.exe[1436] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchIndexer.exe[1436] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\SearchIndexer.exe[1436] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchIndexer.exe[1436] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchIndexer.exe[1436] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchIndexer.exe[1436] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchIndexer.exe[1436] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchIndexer.exe[1436] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchIndexer.exe[1436] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchIndexer.exe[1436] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Windows\system32\SearchIndexer.exe[1436] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Program Files\netcut\services\AIPS.exe[1512] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\netcut\services\AIPS.exe[1512] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [65, 71] .text C:\Program Files\netcut\services\AIPS.exe[1512] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\netcut\services\AIPS.exe[1512] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\netcut\services\AIPS.exe[1512] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7178000A .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7181000A .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 7184000A .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 717E000A .text C:\Program Files\netcut\services\AIPS.exe[1512] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 717B000A .text C:\Program Files\netcut\services\AIPS.exe[1512] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 716C000A .text C:\Program Files\netcut\services\AIPS.exe[1512] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7169000A .text C:\Program Files\netcut\services\AIPS.exe[1512] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 716F000A .text C:\Program Files\netcut\services\AIPS.exe[1512] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7187000A .text C:\Program Files\netcut\services\AIPS.exe[1512] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\netcut\services\AIPS.exe[1512] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\netcut\services\AIPS.exe[1512] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\netcut\services\AIPS.exe[1512] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 7172000A .text C:\Program Files\netcut\services\AIPS.exe[1512] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7175000A .text C:\Program Files\netcut\services\AIPS.exe[1512] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[1576] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[1576] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[1576] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[1576] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[1576] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[1576] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\taskhost.exe[1576] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\taskhost.exe[1576] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[1632] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1632] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskeng.exe[1632] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1632] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1632] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[1632] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1632] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\taskeng.exe[1632] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\taskeng.exe[1632] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[1632] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1632] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[1632] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1632] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1632] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\System32\spoolsv.exe[1660] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1660] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\spoolsv.exe[1660] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1660] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\System32\spoolsv.exe[1660] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\System32\spoolsv.exe[1660] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\System32\spoolsv.exe[1660] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\System32\spoolsv.exe[1660] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\System32\spoolsv.exe[1660] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\spoolsv.exe[1660] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\System32\spoolsv.exe[1660] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\System32\spoolsv.exe[1660] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\System32\spoolsv.exe[1660] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\System32\spoolsv.exe[1660] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\taskeng.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskeng.exe[1676] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1676] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\taskeng.exe[1676] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\taskeng.exe[1676] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\taskeng.exe[1676] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\taskeng.exe[1676] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\taskeng.exe[1676] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\taskeng.exe[1676] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\taskeng.exe[1676] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\taskeng.exe[1676] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\taskeng.exe[1676] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\taskeng.exe[1676] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1704] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1704] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [71, 71] {JNO 0x73} .text C:\Windows\system32\svchost.exe[1704] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1704] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1704] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1704] RPCRT4.dll!RpcServerRegisterIfEx 77412640 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1704] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1704] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7175000A .text C:\Windows\system32\svchost.exe[1704] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1704] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1704] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1704] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1704] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1704] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\rundll32.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1812] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Windows\system32\rundll32.exe[1812] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1812] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\rundll32.exe[1812] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\rundll32.exe[1812] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\rundll32.exe[1812] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Windows\system32\rundll32.exe[1812] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Windows\system32\rundll32.exe[1812] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Windows\system32\rundll32.exe[1812] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\rundll32.exe[1812] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\rundll32.exe[1812] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\rundll32.exe[1812] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\rundll32.exe[1812] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Windows\system32\rundll32.exe[1812] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Windows\system32\rundll32.exe[1812] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\rundll32.exe[1836] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1836] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Windows\system32\rundll32.exe[1836] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1836] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\rundll32.exe[1836] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\rundll32.exe[1836] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\rundll32.exe[1836] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Windows\system32\rundll32.exe[1836] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Windows\system32\rundll32.exe[1836] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Windows\system32\rundll32.exe[1836] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\rundll32.exe[1836] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\rundll32.exe[1836] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\rundll32.exe[1836] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\rundll32.exe[1836] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Windows\system32\rundll32.exe[1836] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Windows\system32\rundll32.exe[1836] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1844] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717B000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7184000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 7187000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7181000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 717E000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718A000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 7169000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[1904] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 716C000A .text C:\Windows\system32\svchost.exe[1932] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1932] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[1932] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1932] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[1932] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[1932] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[1932] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[1932] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[1932] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[1932] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[1932] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[1932] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[1932] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[1932] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[1932] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716C000A .text C:\Windows\system32\svchost.exe[1932] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1972] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[2180] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2180] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\Dwm.exe[2180] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2180] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\Dwm.exe[2180] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[2180] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\Dwm.exe[2180] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[2180] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[2180] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[2180] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[2180] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\Dwm.exe[2180] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\Dwm.exe[2180] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[2180] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2188] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2188] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[2188] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2188] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2188] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2188] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2188] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[2188] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[2188] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2188] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2188] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2188] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2188] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2188] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[2276] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\SearchProtocolHost.exe[2276] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[2276] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\SearchProtocolHost.exe[2276] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Windows\system32\SearchProtocolHost.exe[2276] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\COMODO\COMODO Internet Security\cistray.exe[2312] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2356] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[2368] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2368] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[2368] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2368] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[2368] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[2368] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[2368] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[2368] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[2368] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[2368] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[2368] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[2368] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[2368] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[2368] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2676] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2876] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\svchost.exe[2876] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\svchost.exe[2876] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\svchost.exe[2876] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\svchost.exe[2876] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\svchost.exe[2876] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\svchost.exe[2876] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\svchost.exe[2876] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\svchost.exe[2876] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\svchost.exe[2876] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\svchost.exe[2876] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2932] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\wbem\wmiprvse.exe[2932] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2932] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[2932] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\wbem\wmiprvse.exe[2932] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtAllocateVirtualMemory 774E43C0 5 Bytes JMP 00D82910 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtCreateFile 774E46B0 5 Bytes JMP 00D826C0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!NtOpenFile 774E4DC0 5 Bytes JMP 00D825D0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3024] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3116] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [68, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717B000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7184000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 7187000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7181000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 717E000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718A000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 716F000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 716C000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7172000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 7175000A .text C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe[3132] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7178000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Windows Sidebar\sidebar.exe[3168] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [68, 71] .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 717B000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!LoadLibraryExW 75C8B697 5 Bytes JMP 004F37E0 C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 7184000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 7187000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7181000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 717E000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 716F000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 716C000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7172000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 718A000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 7175000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7178000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] WS2_32.dll!WSASend 776068A7 5 Bytes JMP 029A0000 .text C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe[3176] WS2_32.dll!send 7760C4C8 5 Bytes JMP 02880000 .text C:\Windows\System32\WUDFHost.exe[3232] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[3232] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\WUDFHost.exe[3232] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[3232] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\System32\WUDFHost.exe[3232] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\System32\WUDFHost.exe[3232] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\System32\WUDFHost.exe[3232] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\System32\WUDFHost.exe[3232] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\System32\WUDFHost.exe[3232] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\WUDFHost.exe[3232] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\System32\WUDFHost.exe[3232] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\System32\WUDFHost.exe[3232] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\System32\WUDFHost.exe[3232] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\System32\WUDFHost.exe[3232] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\System32\svchost.exe[3592] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\System32\svchost.exe[3592] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\System32\svchost.exe[3592] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\System32\svchost.exe[3592] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\System32\svchost.exe[3592] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\System32\svchost.exe[3592] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\System32\svchost.exe[3592] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\System32\svchost.exe[3592] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\System32\svchost.exe[3592] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\System32\svchost.exe[3592] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716C000A .text C:\Windows\System32\svchost.exe[3592] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[3596] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\SearchProtocolHost.exe[3596] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[3596] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\SearchProtocolHost.exe[3596] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Windows\system32\SearchProtocolHost.exe[3596] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\Google\Update\1.3.32.7\GoogleCrashHandler.exe[3608] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchFilterHost.exe[3668] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchFilterHost.exe[3668] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\SearchFilterHost.exe[3668] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchFilterHost.exe[3668] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\SearchFilterHost.exe[3668] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\SearchFilterHost.exe[3668] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\SearchFilterHost.exe[3668] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\SearchFilterHost.exe[3668] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\SearchFilterHost.exe[3668] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\SearchFilterHost.exe[3668] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\SearchFilterHost.exe[3668] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\SearchFilterHost.exe[3668] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\SearchFilterHost.exe[3668] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\SearchFilterHost.exe[3668] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ntdll.dll!NtAllocateVirtualMemory 774E43C0 5 Bytes JMP 00F113A0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3856] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\explorer.exe[3996] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\explorer.exe[3996] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [6E, 71] .text C:\Windows\explorer.exe[3996] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\explorer.exe[3996] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\explorer.exe[3996] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\explorer.exe[3996] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\explorer.exe[3996] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\explorer.exe[3996] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\explorer.exe[3996] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\explorer.exe[3996] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\explorer.exe[3996] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\explorer.exe[3996] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\explorer.exe[3996] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\explorer.exe[3996] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\explorer.exe[3996] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\explorer.exe[3996] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\explorer.exe[3996] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 7175000A .text C:\Windows\explorer.exe[3996] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7172000A .text C:\Windows\explorer.exe[3996] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 7178000A .text C:\Windows\explorer.exe[3996] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 717B000A .text C:\Windows\explorer.exe[3996] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 717E000A .text C:\Windows\explorer.exe[3996] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[4108] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[4108] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Windows\system32\taskhost.exe[4108] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[4108] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Windows\system32\taskhost.exe[4108] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[4108] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Windows\system32\taskhost.exe[4108] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[4108] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[4108] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[4108] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[4108] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[4108] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Windows\system32\taskhost.exe[4108] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Windows\system32\taskhost.exe[4108] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[4108] SHELL32.dll!SHFileOperationW 75FE9728 6 Bytes JMP 716F000A .text C:\Windows\system32\taskhost.exe[4108] SHELL32.dll!SHFileOperation 761EE019 6 Bytes JMP 7172000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] ntdll.dll!NtAlpcSendWaitReceivePort 774E4500 3 Bytes [FF, 25, 1E] .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] ntdll.dll!NtAlpcSendWaitReceivePort + 4 774E4504 2 Bytes [74, 71] {JZ 0x73} .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] ntdll.dll!NtClose 774E45B0 3 Bytes [FF, 25, 1E] .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] ntdll.dll!NtClose + 4 774E45B4 2 Bytes [AE, 71] .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] ntdll.dll!LdrUnloadDll 774FBD1F 6 Bytes JMP 71A8000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!CopyFileExW 75C8082B 6 Bytes JMP 7181000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!MoveFileWithProgressW 75C8BEDC 6 Bytes JMP 718A000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!CreateProcessInternalW 75C9428E 3 Bytes [FF, 25, 1E] .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!CreateProcessInternalW + 4 75C94292 2 Bytes [9E, 71] .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!MoveFileWithProgressA 75CA2FE3 6 Bytes JMP 718D000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!MoveFileTransactedA 75CCABEE 6 Bytes JMP 7187000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] kernel32.dll!MoveFileTransactedW 75CCAC91 6 Bytes JMP 7184000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] USER32.dll!SetWindowsHookExW 76F8210A 6 Bytes JMP 717B000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] USER32.dll!SetWinEventHook 76F8507E 6 Bytes JMP 7178000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] USER32.dll!SetWindowsHookExA 76FA6DFA 6 Bytes JMP 717E000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] GDI32.dll!DeleteDC 76F26A2C 6 Bytes JMP 7190000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] GDI32.dll!CreateDCA 76F29975 6 Bytes JMP 7199000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] GDI32.dll!CreateDCW 76F2BD21 6 Bytes JMP 7196000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] GDI32.dll!GetPixel 76F2C714 6 Bytes JMP 7193000A .text C:\Users\ladycstar\Downloads\dvj81b4o.exe[4404] ole32.dll!CoCreateInstance 75D757FC 6 Bytes JMP 719C000A ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [741924FA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [7417565B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [74175719] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [74192575] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [741885D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74184D8D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [74185134] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74185209] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74186736] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74188330] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [7418887F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [741890E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7418E283] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\explorer.exe[3996] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74184CBF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 852601F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{2D2D72AE-C00A-41DD-A4E3-F818116B5C23} 85FCF1F8 Device \Driver\usbuhci \Device\USBPDO-0 865011F8 Device \Driver\usbuhci \Device\USBPDO-1 865011F8 Device \Driver\usbuhci \Device\USBPDO-2 865011F8 Device \Driver\usbuhci \Device\USBPDO-3 865011F8 Device \Driver\usbehci \Device\USBPDO-4 864EA440 AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys Device \Driver\USBSTOR \Device\00000070 867C6440 Device \Driver\USBSTOR \Device\00000071 867C6440 Device \Driver\cdrom \Device\CdRom0 861AB1F8 Device \Driver\USBSTOR \Device\00000072 867C6440 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8525D1F8 Device \Driver\atapi \Device\Ide\IdePort0 8525D1F8 Device \Driver\atapi \Device\Ide\IdePort1 8525D1F8 Device \Driver\atapi \Device\Ide\IdePort2 8525D1F8 Device \Driver\atapi \Device\Ide\IdePort3 8525D1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-5 8525D1F8 Device \Driver\USBSTOR \Device\00000073 867C6440 Device \Driver\NetBT \Device\NetBt_Wins_Export 85FCF1F8 AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys Device \Driver\usbuhci \Device\USBFDO-0 865011F8 Device \Driver\usbuhci \Device\USBFDO-1 865011F8 Device \Driver\USBSTOR \Device\0000006e 867C6440 Device \Driver\usbuhci \Device\USBFDO-2 865011F8 Device \Driver\USBSTOR \Device\0000006f 867C6440 Device \Driver\usbuhci \Device\USBFDO-3 865011F8 Device \Driver\usbehci \Device\USBFDO-4 864EA440 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8525d1f8]<< 8525d1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8608f530] 8608f530 Trace 3 CLASSPNP.SYS[896bd59e] -> nt!IofCallDriver -> [0x85fba918] 85fba918 Trace 5 ACPI.sys[88f843b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x852ab908] 852ab908 Trace \Driver\atapi[0x85f98db8] -> IRP_MJ_CREATE -> 0x8525d1f8 8525d1f8 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 11625 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 34300 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFF 0x07 0xD2 0x8E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x29 0xDF 0x73 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x48 0x92 0x7A 0xA3 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFF 0x07 0xD2 0x8E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x29 0xDF 0x73 0x7D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x48 0x92 0x7A 0xA3 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow -267137526 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@OfflineDetectionPending 1 ---- EOF - GMER 2.2 ----