GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-04-02 23:47:09 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00JJC0 rev.05.01C05 74,53GB Running: gmer.exe; Driver: C:\DOCUME~1\x\USTAWI~1\Temp\ffryraog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xF57782A8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xF57794C8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xF5777608] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xF5777F0E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xF5778BD2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xF5777CC2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xF577A392] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xF5776FF4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xF5778494] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xF57786CE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xF5776DFA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xF57795DE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xF57797B4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xF5779DC4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xF57778D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xF682814A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xF682821A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xF57780EA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xF5778B1E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xF6827D7C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xF5777B6A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xF5776C2C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xF57798EA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xF5779B36] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwQueryValueKey [0xF78A81AE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xF5779136] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xF5778942] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xF577A0B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xF5778E86] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xF577783A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xF6827F6A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xF6828000] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xF5777A56] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xF6827E32] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xF6827ECE] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xF682809C] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 21C 804E2888 4 Bytes [EA, 80, 77, F5] .text ntoskrnl.exe!_abnormal_termination + 2CC 804E2938 8 Bytes [EA, 98, 77, F5, 36, 9B, 77, ...] {JMP FAR 0x779b:0x36f57798; CMC } .text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [6A, 7F, 82, F6, 00, 80, 82, ...] {PUSH 0x7f; XOR DH, 0x0; ADD BYTE [EDX+0x777a56f6], 0xf5} ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[464] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[464] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[464] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[464] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[464] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[464] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[464] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[464] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[464] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[464] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[464] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[464] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[580] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\csrss.exe[952] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100015D0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[952] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001A40 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1024] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[1024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[1024] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[1024] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[1024] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\services.exe[1024] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[1024] RPCRT4.dll!RpcServerRegisterIfEx 77E8E04B 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[1024] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[1024] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[1024] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[1024] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[1024] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\services.exe[1024] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[1024] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1036] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[1036] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[1036] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[1036] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[1036] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\lsass.exe[1036] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[1036] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[1036] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[1036] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[1036] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\lsass.exe[1036] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[1036] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[1036] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1184] RPCRT4.dll!RpcServerRegisterIfEx 77E8E04B 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1184] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1252] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1252] RPCRT4.dll!RpcServerRegisterIfEx 77E8E04B 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1252] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1252] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1252] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1252] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1252] rpcss.dll!WhichService 76A64234 8 Bytes [10, 33, 01, 10, D0, 30, 01, ...] {ADC [EBX], DH; ADD [EAX], EDX; SAL BYTE [EAX], 0x1; ADD [EAX], EDX} .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1292] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00403FD0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0043DB90 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1340] RPCRT4.dll!RpcServerRegisterIfEx 77E8E04B 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1340] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718D000A .text C:\n\gmer\gmer.exe[1460] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\n\gmer\gmer.exe[1460] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\n\gmer\gmer.exe[1460] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\n\gmer\gmer.exe[1460] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\n\gmer\gmer.exe[1460] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\n\gmer\gmer.exe[1460] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\n\gmer\gmer.exe[1460] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\n\gmer\gmer.exe[1460] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\n\gmer\gmer.exe[1460] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\n\gmer\gmer.exe[1460] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\n\gmer\gmer.exe[1460] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\n\gmer\gmer.exe[1460] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\n\gmer\gmer.exe[1460] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\n\gmer\gmer.exe[1460] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\n\gmer\gmer.exe[1460] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\n\gmer\gmer.exe[1460] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\n\gmer\gmer.exe[1460] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\n\gmer\gmer.exe[1460] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\n\gmer\gmer.exe[1460] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\n\gmer\gmer.exe[1460] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[1520] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\rundll32.exe[1520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\rundll32.exe[1520] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\rundll32.exe[1520] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\rundll32.exe[1520] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\rundll32.exe[1520] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\rundll32.exe[1520] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\rundll32.exe[1520] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\rundll32.exe[1520] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\rundll32.exe[1520] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\rundll32.exe[1520] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\rundll32.exe[1520] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\rundll32.exe[1520] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1572] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1572] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1572] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1572] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1572] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1572] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1572] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1572] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1696] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1696] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1696] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1696] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1696] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1704] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1704] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[1704] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[1704] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1704] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1704] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1704] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1704] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1704] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1704] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1704] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1704] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1804] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1804] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[1804] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[1804] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[1804] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1804] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1804] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1804] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1804] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[1804] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1804] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1804] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1868] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1868] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1868] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1868] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1868] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1868] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1868] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1868] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1868] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40ST7.EXE[1916] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\Documents and Settings\All Users\Dane aplikacji\EPSON\EPW!3 SSRP\E_S40RP7.EXE[1932] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1948] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\System32\FTRTSVC.exe[1956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\FTRTSVC.exe[1956] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\FTRTSVC.exe[1956] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [76, 71] {JBE 0x73} .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A3, 71] .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7192000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7180000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7183000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717D000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7186000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7189000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718F000A .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2020] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718C000A .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[2068] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[2068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[2068] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ctfmon.exe[2068] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ctfmon.exe[2068] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\ctfmon.exe[2068] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[2068] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[2068] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[2068] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[2068] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\ctfmon.exe[2068] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[2068] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[2068] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFCE.EXE[2076] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2140] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[2140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[2140] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\alg.exe[2140] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\alg.exe[2140] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[2140] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[2140] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7179000A .text C:\WINDOWS\System32\alg.exe[2140] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[2140] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[2140] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[2140] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7188000A .text C:\WINDOWS\System32\alg.exe[2140] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718E000A .text C:\WINDOWS\System32\alg.exe[2140] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7191000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!LdrUnloadDll 7C916C9B 3 Bytes [FF, 25, 1E] .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ntdll.dll!LdrUnloadDll + 4 7C916C9F 2 Bytes [A7, 71] .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7196000A .text C:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe[2184] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2580] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----