GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-06 21:49:48 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 GOODRAM rev.SAFM22.3 223,57GB Running: k977zej8.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\kwddykog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d6bde0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d6bfe0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d6bde0 8 bytes JMP 000000006fff00d8 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d6bfe0 8 bytes JMP 000000006fff0110 .text C:\Windows\system32\csrss.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 000000006fff0148 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\services.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed42930 5 bytes JMP 000007febc6802f8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076b0f804 9 bytes JMP 0000000036d60658 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076b14ccc 5 bytes JMP 0000000036d606b8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076b28bd0 12 bytes JMP 0000000036d605f8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc680538 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc6803b8 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc680418 .text C:\Windows\system32\services.exe[684] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680478 .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\lsass.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\lsass.exe[720] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\lsm.exe[728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\lsm.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\lsm.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\lsm.exe[728] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed42930 5 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc680538 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[836] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[896] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed42930 5 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc680538 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d6beb0 8 bytes JMP 000000006fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d6c060 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d6c280 1 byte JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 2 0000000076d6c282 6 bytes {JMP 0xfffffffff9283e90} .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe[412] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\System32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\System32\svchost.exe[608] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\System32\svchost.exe[172] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\System32\svchost.exe[172] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\System32\svchost.exe[172] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[1056] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed42930 5 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc680538 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[1388] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007fefed42930 5 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc680538 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[1512] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\IProsetMonitor.exe[1584] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f1f9f0 5 bytes JMP 00000000721b2e50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f20560 5 bytes JMP 00000000721ab690 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f3d2f6 7 bytes JMP 00000000721b2cd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074823bbb 5 bytes JMP 00000000721a5520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074829abc 2 bytes JMP 000000007219efe0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000074829abf 2 bytes [97, FD] .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074833b7a 7 bytes JMP 000000007219fba0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007483cd11 5 bytes JMP 000000007219ecd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007488ddde 7 bytes JMP 000000007219f210 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007488de81 7 bytes JMP 000000007219f520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007642fcda 5 bytes JMP 00000000721a6400 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076432e0b 4 bytes CALL 6f880000 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007687ee21 5 bytes JMP 00000000721b39d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768881f5 5 bytes JMP 00000000721b3300 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076888f4c 5 bytes JMP 00000000721b3040 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751858b3 5 bytes JMP 00000000721a16e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075187be4 5 bytes JMP 00000000721a0650 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007518ae92 5 bytes JMP 00000000721a1c70 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007518b99a 5 bytes JMP 00000000721a17b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007518c09c 5 bytes JMP 00000000721a19f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\isesrv.exe[1684] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007518e945 5 bytes JMP 00000000721a0800 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\taskhost.exe[1712] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\Dwm.exe[1772] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\Explorer.EXE[1812] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\Explorer.EXE[1812] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\svchost.exe[2052] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f1f9f0 5 bytes JMP 00000000721b2e50 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f20560 5 bytes JMP 00000000721ab690 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f3d2f6 7 bytes JMP 00000000721b2cd0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074823bbb 5 bytes JMP 00000000721a5520 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074829abc 2 bytes JMP 000000007219efe0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000074829abf 2 bytes [97, FD] .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074833b7a 7 bytes JMP 000000007219fba0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007483cd11 5 bytes JMP 000000007219ecd0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007488ddde 7 bytes JMP 000000007219f210 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007488de81 7 bytes JMP 000000007219f520 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007642fcda 5 bytes JMP 00000000721a6400 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076432e0b 4 bytes CALL 70610000 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007687ee21 5 bytes JMP 00000000721b39d0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768881f5 5 bytes JMP 00000000721b3300 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076888f4c 5 bytes JMP 00000000721b3040 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751858b3 5 bytes JMP 00000000721a16e0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075187be4 5 bytes JMP 00000000721a0650 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007518ae92 5 bytes JMP 00000000721a1c70 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007518b99a 5 bytes JMP 00000000721a17b0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007518c09c 5 bytes JMP 00000000721a19f0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007518e945 5 bytes JMP 00000000721a0800 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076719c5b 5 bytes JMP 000000001000a4d0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\syswow64\ole32.dll!CoCreateInstanceEx 0000000076719f43 5 bytes JMP 000000001000a630 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutOpen 0000000071cb451e 5 bytes JMP 000000001000ab40 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutClose 0000000071cb4b6d 5 bytes JMP 000000001000abb0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutUnprepareHeader 0000000071cb4bf2 5 bytes JMP 000000001000ac90 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutPrepareHeader 0000000071cb4f0f 5 bytes JMP 000000001000ac50 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutWrite 0000000071cb4f7b 5 bytes JMP 000000001000ac10 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInOpen 0000000071cb9054 5 bytes JMP 000000001000ad10 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutReset 0000000071cbadf9 5 bytes JMP 000000001000abe0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutGetVolume 0000000071cd52e8 5 bytes JMP 000000001000acd0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveOutSetVolume 0000000071cd535f 5 bytes JMP 000000001000acf0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInClose 0000000071cd59cc 5 bytes JMP 000000001000ae40 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInPrepareHeader 0000000071cd5a6a 5 bytes JMP 000000001000aec0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInUnprepareHeader 0000000071cd5ad7 5 bytes JMP 000000001000af00 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInAddBuffer 0000000071cd5b5b 5 bytes JMP 000000001000af40 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInStart 0000000071cd5bba 5 bytes JMP 000000001000af80 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInStop 0000000071cd5bee 5 bytes JMP 000000001000b000 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInReset 0000000071cd5c22 5 bytes JMP 000000001000b060 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\WINMM.dll!waveInGetPosition 0000000071cd5c67 5 bytes JMP 000000001000b0d0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate 0000000073947e3d 5 bytes JMP 000000001000a690 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCreate8 000000007397de69 5 bytes JMP 000000001000a770 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate 000000007398d2c5 5 bytes JMP 000000001000a8a0 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundCaptureCreate8 000000007398d371 5 bytes JMP 000000001000a990 .text C:\Windows\SysWOW64\HsMgr.exe[2192] C:\Windows\SysWOW64\DSOUND.dll!DirectSoundFullDuplexCreate 000000007398d429 5 bytes JMP 000000001000aa80 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileExW 0000000076c02b60 13 bytes JMP 0000000036d60418 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!CopyFileExW 0000000076c11870 5 bytes JMP 0000000036d60298 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076c1dd20 5 bytes JMP 0000000036d60238 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileWithProgressW 0000000076c8f6e0 8 bytes JMP 0000000036d60598 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileTransactedW 0000000076c8f710 5 bytes JMP 0000000036d604d8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileW 0000000076c8f7e0 10 bytes JMP 0000000036d60358 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileWithProgressA 0000000076c8f8e0 8 bytes JMP 0000000036d60538 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileExA 0000000076c8f910 10 bytes JMP 0000000036d603b8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileA 0000000076c8f940 10 bytes JMP 0000000036d602f8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\kernel32.dll!MoveFileTransactedA 0000000076c95730 5 bytes JMP 0000000036d60478 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\ole32.dll!CoCreateInstanceEx 000007fefee3d1b0 7 bytes JMP 000007fefec80110 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007fefec800d8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutClose 000007fefb6336ac 5 bytes JMP 000007fefec801f0 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutUnprepareHeader 000007fefb633770 5 bytes JMP 000007fefec80298 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutOpen 000007fefb6338d0 5 bytes JMP 000007fefec801b8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutPrepareHeader 000007fefb633ca4 5 bytes JMP 000007fefec80260 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutWrite 000007fefb633d40 5 bytes JMP 000007fefec80228 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInOpen 000007fefb637fe0 7 bytes JMP 000007fefec80378 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutReset 000007fefb63a38c 5 bytes JMP 000007fefec802d0 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutGetVolume 000007fefb6549f0 5 bytes JMP 000007fefec80308 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveOutSetVolume 000007fefb654ab0 5 bytes JMP 000007fefec80340 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInClose 000007fefb6552e0 5 bytes JMP 000007fefec803b0 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInPrepareHeader 000007fefb6553c0 5 bytes JMP 000007fefec80490 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInUnprepareHeader 000007fefb655454 5 bytes JMP 000007fefec804c8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInAddBuffer 000007fefb655514 5 bytes JMP 000007fefec80500 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInStart 000007fefb6555a4 6 bytes JMP 000007fefec803e8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInStop 000007fefb6555e4 6 bytes JMP 000007fefec80420 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInReset 000007fefb655624 5 bytes JMP 000007fefec80458 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\WINMM.dll!waveInGetPosition 000007fefb65567c 5 bytes JMP 000007fefec80538 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\DSOUND.dll!DirectSoundCreate8 000007fef4a96944 7 bytes JMP 000007fefec80180 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\DSOUND.dll!DirectSoundCreate 000007fef4ab5a84 7 bytes JMP 000007fefec80148 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate 000007fef4ab5b90 7 bytes JMP 000007fefec80570 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\DSOUND.dll!DirectSoundCaptureCreate8 000007fef4ab5c94 7 bytes JMP 000007fefec805a8 .text C:\Windows\system\HsMgr64.exe[2204] C:\Windows\system32\DSOUND.dll!DirectSoundFullDuplexCreate 000007fef4ab5da8 5 bytes JMP 000007fefec805e0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f1f9f0 5 bytes JMP 00000000721b2e50 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f20560 5 bytes JMP 00000000721ab690 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f3d2f6 7 bytes JMP 00000000721b2cd0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074823bbb 5 bytes JMP 00000000721a5520 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074829abc 2 bytes JMP 000000007219efe0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000074829abf 2 bytes [97, FD] .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074833b7a 7 bytes JMP 000000007219fba0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007483cd11 5 bytes JMP 000000007219ecd0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007488ddde 7 bytes JMP 000000007219f210 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007488de81 7 bytes JMP 000000007219f520 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007642fcda 5 bytes JMP 00000000721a6400 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076432e0b 4 bytes CALL 6ea60000 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007687ee21 5 bytes JMP 00000000721b39d0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768881f5 5 bytes JMP 00000000721b3300 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076888f4c 5 bytes JMP 00000000721b3040 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751858b3 5 bytes JMP 00000000721a16e0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075187be4 5 bytes JMP 00000000721a0650 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007518ae92 5 bytes JMP 00000000721a1c70 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007518b99a 5 bytes JMP 00000000721a17b0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007518c09c 5 bytes JMP 00000000721a19f0 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007518e945 5 bytes JMP 00000000721a0800 .text C:\Program Files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE[2260] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076719c5b 5 bytes JMP 00000000721ac2e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f1f9f0 5 bytes JMP 00000000721b2e50 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f20560 5 bytes JMP 00000000721ab690 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f3d2f6 7 bytes JMP 00000000721b2cd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074823bbb 5 bytes JMP 00000000721a5520 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074829abc 2 bytes JMP 000000007219efe0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000074829abf 2 bytes [97, FD] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074833b7a 7 bytes JMP 000000007219fba0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007483cd11 5 bytes JMP 000000007219ecd0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007488ddde 7 bytes JMP 000000007219f210 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007488de81 7 bytes JMP 000000007219f520 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007642fcda 5 bytes JMP 00000000721a6400 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076432e0b 4 bytes CALL 6e540000 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751858b3 5 bytes JMP 00000000721a16e0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075187be4 5 bytes JMP 00000000721a0650 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007518ae92 5 bytes JMP 00000000721a1c70 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007518b99a 5 bytes JMP 00000000721a17b0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007518c09c 5 bytes JMP 00000000721a19f0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007518e945 5 bytes JMP 00000000721a0800 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007687ee21 5 bytes JMP 00000000721b39d0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768881f5 5 bytes JMP 00000000721b3300 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076888f4c 5 bytes JMP 00000000721b3040 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[2364] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076719c5b 5 bytes JMP 00000000721ac2e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f1f9f0 5 bytes JMP 00000000721b2e50 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f20560 5 bytes JMP 00000000721ab690 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f3d2f6 7 bytes JMP 00000000721b2cd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074823bbb 5 bytes JMP 00000000721a5520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074829abc 2 bytes JMP 000000007219efe0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000074829abf 2 bytes [97, FD] .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074833b7a 7 bytes JMP 000000007219fba0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007483cd11 5 bytes JMP 000000007219ecd0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007488ddde 7 bytes JMP 000000007219f210 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007488de81 7 bytes JMP 000000007219f520 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007642fcda 5 bytes JMP 00000000721a6400 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076432e0b 4 bytes CALL 6d2d0000 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007687ee21 5 bytes JMP 00000000721b39d0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768881f5 5 bytes JMP 00000000721b3300 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076888f4c 5 bytes JMP 00000000721b3040 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751858b3 5 bytes JMP 00000000721a16e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075187be4 5 bytes JMP 00000000721a0650 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007518ae92 5 bytes JMP 00000000721a1c70 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007518b99a 5 bytes JMP 00000000721a17b0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007518c09c 5 bytes JMP 00000000721a19f0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007518e945 5 bytes JMP 00000000721a0800 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076719c5b 5 bytes JMP 00000000721ac2e0 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075311401 2 bytes JMP 7483b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075311419 2 bytes JMP 7483b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075311431 2 bytes JMP 748b9149 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007531144a 2 bytes CALL 74814885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753114dd 2 bytes JMP 748b8a42 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753114f5 2 bytes JMP 748b8c18 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007531150d 2 bytes JMP 748b8938 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075311525 2 bytes JMP 748b8d02 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007531153d 2 bytes JMP 7482fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075311555 2 bytes JMP 74836907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007531156d 2 bytes JMP 748b9201 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075311585 2 bytes JMP 748b8d62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007531159d 2 bytes JMP 748b88fc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753115b5 2 bytes JMP 7482fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753115cd 2 bytes JMP 7483b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753116b2 2 bytes JMP 748b90c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\COMODO\Internet Security Essentials\vkise.exe[2404] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753116bd 2 bytes JMP 748b8891 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d6beb0 8 bytes JMP 000000006fff0148 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000076d6c060 8 bytes JMP 000000006fff0110 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000076d6c280 8 bytes JMP 000000006fff00d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2636] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[1612] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d6beb0 8 bytes JMP 000000006fff00d8 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\System32\svchost.exe[1344] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d42280 5 bytes JMP 0000000036d601d8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtClose 0000000076d6be20 8 bytes JMP 0000000036d60178 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d6c580 8 bytes JMP 0000000036d60718 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\KERNELBASE.dll!DefineDosDeviceW 000007fefcadff00 5 bytes JMP 000007febc680238 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!DeleteDC 000007fefec922f0 5 bytes JMP 000007febc6804d8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!GdiAlphaBlend 000007fefec93e40 5 bytes JMP 000007febc680478 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!CreateDCW 000007fefec981b4 9 bytes JMP 000007febc680358 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!CreateDCA 000007fefec987f4 9 bytes JMP 000007febc6802f8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!GetPixel 000007fefec98d4c 5 bytes JMP 000007febc6803b8 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\GDI32.dll!GdiTransparentBlt 000007fefeca52e0 5 bytes JMP 000007febc680418 .text C:\Windows\system32\AUDIODG.EXE[3092] C:\Windows\System32\ole32.dll!CoCreateInstance 000007fefee54650 6 bytes JMP 000007febc680298 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000076f1f9f0 5 bytes JMP 00000000721b2e50 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076f20560 5 bytes JMP 00000000721ab690 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f3d2f6 7 bytes JMP 00000000721b2cd0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000074823bbb 5 bytes JMP 00000000721a5520 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW 0000000074829abc 2 bytes JMP 000000007219efe0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressW + 3 0000000074829abf 2 bytes [97, FD] .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!CopyFileExW 0000000074833b7a 7 bytes JMP 000000007219fba0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!MoveFileWithProgressA 000000007483cd11 5 bytes JMP 000000007219ecd0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedA 000000007488ddde 7 bytes JMP 000000007219f210 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\kernel32.dll!MoveFileTransactedW 000000007488de81 7 bytes JMP 000000007219f520 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\KERNELBASE.dll!DefineDosDeviceW 000000007642fcda 5 bytes JMP 00000000721a6400 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 559 0000000076432e0b 4 bytes CALL 6e4a0000 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007687ee21 5 bytes JMP 00000000721b39d0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000768881f5 5 bytes JMP 00000000721b3300 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000076888f4c 5 bytes JMP 00000000721b3040 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000751858b3 5 bytes JMP 00000000721a16e0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075187be4 5 bytes JMP 00000000721a0650 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\GDI32.dll!GdiAlphaBlend 000000007518ae92 5 bytes JMP 00000000721a1c70 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007518b99a 5 bytes JMP 00000000721a17b0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\GDI32.dll!GdiTransparentBlt 000000007518c09c 5 bytes JMP 00000000721a19f0 .text C:\Users\Tomek\Desktop\k977zej8.exe[3912] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007518e945 5 bytes JMP 00000000721a0800 ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef7a7741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef7a75f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef7a75674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef7a75e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef7a77f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef7a76a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef7a76ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef7a77b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef7a77ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef7a778b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef7a74fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef7a75d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1992] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef7a77584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\Dwm.exe [1772:1416] 000007fef613d418 ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Tomek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Medal of Honor Pacific Assault\x2122\Medal of Honor Pacific Assault\x2122.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Medal of Honor Pacific Assault\x2122\Medal of Honor Pacific Assault\x2122.lnk 1 ---- Files - GMER 2.2 ---- File C:\Users\Tomek\AppData\Local\Temp\tmpDEEC.tmp 30720 bytes ---- EOF - GMER 2.2 ----