GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-14 23:33:14 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: tspx2j2j.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pxrdafoc.sys ---- System - GMER 2.1 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x9147A98E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x9147A928] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x9147A93C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x9147A9CC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x9147AA0F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x9147A900] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x9147A914] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x9147A9A2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x9147AA37] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x9147AA23] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x9147A97A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x9147A966] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x9147A9FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x9147A9E2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x9147A9B8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x9147A952] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwYieldExecution 820431A0 5 Bytes JMP 9147A9BC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 821DD1CD 5 Bytes JMP 9147AA13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 821E4E26 5 Bytes JMP 9147A956 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 821FF2F0 5 Bytes JMP 9147A9FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 8221E57A 5 Bytes JMP 9147A918 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 8222DEF2 5 Bytes JMP 9147A904 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 82240AFE 7 Bytes JMP 9147A9D0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82241155 5 Bytes JMP 9147A9E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 82243366 5 Bytes JMP 9147A992 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 82250A24 5 Bytes JMP 9147A96A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82252C7E 7 Bytes JMP 9147A9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 82271982 5 Bytes JMP 9147AA27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 822729CE 5 Bytes JMP 9147AA3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 822B072B 5 Bytes JMP 9147A92C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 822B0776 7 Bytes JMP 9147A940 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 822B1233 5 Bytes JMP 9147A97E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DC0C340, 0x3D7A87, 0xE8000020] C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xA07D741C] .clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xA07D8000, 0x1000, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskeng.exe[564] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02712180; RET .text C:\Windows\system32\taskeng.exe[564] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 027126B0; RET .text C:\Windows\system32\taskeng.exe[564] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02712970; RET .text C:\Windows\system32\taskeng.exe[564] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02712910; RET .text C:\Windows\system32\taskeng.exe[564] WS2_32.dll!send 7648659B 6 Bytes PUSH 02713A90; RET .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 00130F43 .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00130093 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 00130EFC .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 00130F21 .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00130078 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00130036 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00130F94 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00130FAF .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 00130F79 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00130051 .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 00130FC0 .text C:\Windows\system32\services.exe[684] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00130F68 .text C:\Windows\system32\services.exe[684] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 00130EEB .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 0013001B .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 0013000A .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 00130FEF .text C:\Windows\system32\services.exe[684] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00130F32 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00140058 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00140FCA .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00140FE5 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00140047 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 00140F9B .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 0014001B .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00140000 .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 0014002C .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 001F0042 .text C:\Windows\system32\services.exe[684] msvcrt.dll!system 77878B63 5 Bytes JMP 001F0FAD .text C:\Windows\system32\services.exe[684] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 001F0FD9 .text C:\Windows\system32\services.exe[684] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 001F0000 .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 001F0FC8 .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 001F001D .text C:\Windows\system32\services.exe[684] WS2_32.dll!socket 764836D1 5 Bytes JMP 0015000A .text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 002000D1 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00200F81 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 00200F4B .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 00200F66 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00200091 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 0020004A .text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00200080 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00200FD4 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 002000A2 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00200FC3 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 0020005B .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00200F92 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 002000F3 .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00200FEF .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 0020000A .text C:\Windows\system32\lsass.exe[700] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 0020002F .text C:\Windows\system32\lsass.exe[700] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 002000E2 .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00210F7C .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 0021001E .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00210FEF .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00210F97 .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 00210F6B .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 00210FC3 .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00210FD4 .text C:\Windows\system32\lsass.exe[700] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 00210FB2 .text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 008C0051 .text C:\Windows\system32\lsass.exe[700] msvcrt.dll!system 77878B63 5 Bytes JMP 008C0036 .text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 008C001B .text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 008C0000 .text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 008C0FC6 .text C:\Windows\system32\lsass.exe[700] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 008C0FD7 .text C:\Windows\system32\lsass.exe[700] WS2_32.dll!socket 764836D1 5 Bytes JMP 00220FEF .text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 001A007F .text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 001A0F39 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 001A00B5 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 001A0F14 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 001A0F8A .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 001A002C .text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 001A0F9B .text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 001A0047 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 001A0F65 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 001A0058 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 001A0FB6 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 001A0F4A .text C:\Windows\system32\svchost.exe[856] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 001A00C6 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 001A0011 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 001A0000 .text C:\Windows\system32\svchost.exe[856] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 001A0FDB .text C:\Windows\system32\svchost.exe[856] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 001A0090 .text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00210FA6 .text C:\Windows\system32\svchost.exe[856] msvcrt.dll!system 77878B63 5 Bytes JMP 00210FC1 .text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00210027 .text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00210FEF .text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 00210FD2 .text C:\Windows\system32\svchost.exe[856] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 0021000C .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 001B0F72 .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 001B0FA8 .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 001B0000 .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 001B0F8D .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 001B0F61 .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 001B0FD4 .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 001B0FEF .text C:\Windows\system32\svchost.exe[856] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 001B0FC3 .text C:\Windows\system32\svchost.exe[856] WS2_32.dll!socket 764836D1 5 Bytes JMP 001C0000 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 003100D7 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 003100C6 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 00310F4A .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 00310F5B .text C:\Windows\system32\svchost.exe[928] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00310FA5 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 0031001B .text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00310089 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00310051 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 0031009A .text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00310062 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 0031002C .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 003100AB .text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 00310106 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00310FD4 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 00310FE5 .text C:\Windows\system32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 0031000A .text C:\Windows\system32\svchost.exe[928] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00310F6C .text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00480053 .text C:\Windows\system32\svchost.exe[928] msvcrt.dll!system 77878B63 5 Bytes JMP 00480FBE .text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00480FD9 .text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 0048000C .text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 0048002E .text C:\Windows\system32\svchost.exe[928] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 0048001D .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 0042006C .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00420040 .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00420000 .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00420051 .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 0042007D .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 0042001B .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00420FE5 .text C:\Windows\system32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 00420FD4 .text C:\Windows\system32\svchost.exe[928] WS2_32.dll!socket 764836D1 5 Bytes JMP 00430000 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 00890F4D .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00890F5E .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 00890F0D .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 008900AE .text C:\Windows\System32\svchost.exe[984] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00890F79 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00890FCA .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00890F94 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00890036 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 00890078 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00890047 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 00890FAF .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00890089 .text C:\Windows\System32\svchost.exe[984] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 008900BF .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 0089000A .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 00890FEF .text C:\Windows\System32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 0089001B .text C:\Windows\System32\svchost.exe[984] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00890F32 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00D8004E .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!system 77878B63 5 Bytes JMP 00D80FC3 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00D80018 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00D80FEF .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 00D80033 .text C:\Windows\System32\svchost.exe[984] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 00D80FDE .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 008B0F5E .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 008B0000 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 008B0FE5 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 008B0F79 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 008B0F43 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 008B0FAF .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 008B0FD4 .text C:\Windows\System32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 008B0F9E .text C:\Windows\System32\svchost.exe[984] WS2_32.dll!socket 764836D1 5 Bytes JMP 00D70FEF .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 010A00A9 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 010A0084 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 010A00C4 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 010A0F2D .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 010A0051 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 010A0FAF .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 010A0F77 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 010A0F9E .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 010A0062 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 010A0040 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 010A001B .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 010A0073 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 010A00DF .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 010A0FDB .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 010A0000 .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 010A0FCA .text C:\Windows\System32\svchost.exe[1012] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 010A0F3E .text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 010D0F9C .text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!system 77878B63 5 Bytes JMP 010D0FB7 .text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 010D000C .text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 010D0FEF .text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 010D0027 .text C:\Windows\System32\svchost.exe[1012] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 010D0FD2 .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 010B0025 .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 010B0F9E .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 010B0FEF .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 010B0F83 .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 010B004A .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 010B000A .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 010B0FD4 .text C:\Windows\System32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 010B0FB9 .text C:\Windows\System32\svchost.exe[1012] WS2_32.dll!socket 764836D1 5 Bytes JMP 010C0FE5 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 008C0F5E .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 008C00A4 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 008C00D0 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 008C0F39 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 008C0F83 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 008C0025 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 008C0F94 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 008C0FAF .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 008C0078 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 008C0051 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 008C0036 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 008C0093 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 008C0F1E .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 008C0000 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 008C0FE5 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 008C0FD4 .text C:\Windows\system32\svchost.exe[1024] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 008C00B5 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00D60053 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!system 77878B63 5 Bytes JMP 00D60FC8 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00D60FE3 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00D60000 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 00D60038 .text C:\Windows\system32\svchost.exe[1024] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 00D60011 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00970F91 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00970FB6 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00970FE5 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 0097003D .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 0097004E .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 00970011 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00970000 .text C:\Windows\system32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 0097002C .text C:\Windows\system32\svchost.exe[1024] WS2_32.dll!socket 764836D1 5 Bytes JMP 009C0FEF .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 01070F6B .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 01070F7C .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 010700F8 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 010700DD .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 01070FA8 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 01070036 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 01070FB9 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 0107005B .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 01070F8D .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 01070076 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 01070FCA .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 010700A7 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 01070F46 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 01070FE5 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 01070000 .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 0107001B .text C:\Windows\system32\svchost.exe[1256] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 010700CC .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 01530F9C .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!system 77878B63 5 Bytes JMP 01530027 .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 0153000C .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 01530FEF .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 01530FB7 .text C:\Windows\system32\svchost.exe[1256] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 01530FD2 .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 01080F83 .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 01080FAF .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 01080FEF .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 01080F9E .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 01080040 .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 01080011 .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 01080000 .text C:\Windows\system32\svchost.exe[1256] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 01080FC0 .text C:\Windows\system32\svchost.exe[1256] WS2_32.dll!socket 764836D1 5 Bytes JMP 01510FEF .text C:\Windows\system32\svchost.exe[1256] WinInet.dll!InternetOpenA 771D0A4D 5 Bytes JMP 01520FEF .text C:\Windows\system32\svchost.exe[1256] WinInet.dll!InternetOpenUrlA 771D2713 5 Bytes JMP 01520FCA .text C:\Windows\system32\svchost.exe[1256] WinInet.dll!InternetOpenW 771D30C8 5 Bytes JMP 01520000 .text C:\Windows\system32\svchost.exe[1256] WinInet.dll!InternetOpenUrlW 77228515 5 Bytes JMP 01520FAF .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 00500F39 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00500F54 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 005000BF .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 005000A4 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 0050006E .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00500FEF .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00500051 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00500FAF .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 0050007F .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00500F94 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 00500FCA .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00500F6F .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 00500F0D .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00500025 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 0050000A .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 00500036 .text C:\Windows\system32\svchost.exe[1492] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00500F28 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00570F92 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!system 77878B63 5 Bytes JMP 00570027 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 0057000C .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00570FEF .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 00570FB7 .text C:\Windows\system32\svchost.exe[1492] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 00570FDE .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00510FB6 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00510047 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00510FE5 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00510062 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 00510073 .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 0051001B .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 0051000A .text C:\Windows\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 0051002C .text C:\Windows\system32\svchost.exe[1492] WS2_32.dll!socket 764836D1 5 Bytes JMP 00560FE5 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1820] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 018D2180; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1820] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 018D26B0; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1820] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 018D2970; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1820] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 018D2910; RET .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 00B20080 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00B20F44 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 00B20F0E .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 00B200A5 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00B20040 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00B20FAF .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00B2002F .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00B20F83 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 00B20F55 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00B20F72 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 00B20F9E .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00B20065 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 00B20EFD .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00B20FDB .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 00B20000 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 00B20FC0 .text C:\Windows\system32\svchost.exe[1848] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00B20F29 .text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 01080058 .text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!system 77878B63 5 Bytes JMP 01080FC3 .text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 01080FDE .text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 01080FEF .text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 01080033 .text C:\Windows\system32\svchost.exe[1848] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 0108000C .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 01070FA8 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 01070025 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 01070000 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 01070040 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 01070F97 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 01070FD4 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 01070FE5 .text C:\Windows\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 01070FB9 .text C:\Windows\system32\svchost.exe[1848] WS2_32.dll!socket 764836D1 5 Bytes JMP 00240000 .text C:\Windows\system32\Dwm.exe[1900] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 020E2180; RET .text C:\Windows\system32\Dwm.exe[1900] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 020E26B0; RET .text C:\Windows\system32\Dwm.exe[1900] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 020E2970; RET .text C:\Windows\system32\Dwm.exe[1900] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 020E2910; RET .text C:\Windows\system32\Dwm.exe[1900] WS2_32.dll!send 7648659B 6 Bytes PUSH 020E3A90; RET .text C:\Windows\Explorer.EXE[1912] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 04582180; RET .text C:\Windows\Explorer.EXE[1912] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 045826B0; RET .text C:\Windows\Explorer.EXE[1912] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 04582970; RET .text C:\Windows\Explorer.EXE[1912] ntdll.dll!DbgUiRemoteBreakin 7774D50C 3 Bytes [68, 10, 29] .text C:\Windows\Explorer.EXE[1912] ntdll.dll!DbgUiRemoteBreakin + 4 7774D510 3 Bytes [04, C3, 76] .text C:\Windows\Explorer.EXE[1912] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 03F0009D .text C:\Windows\Explorer.EXE[1912] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 03F00F61 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 03F000D3 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 03F00F32 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 03F00F7C .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 03F0001B .text C:\Windows\Explorer.EXE[1912] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 03F00F8D .text C:\Windows\Explorer.EXE[1912] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 03F00FAF .text C:\Windows\Explorer.EXE[1912] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 03F00071 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 03F00F9E .text C:\Windows\Explorer.EXE[1912] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 03F00036 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 03F00082 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 03F000E4 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 03F00000 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 03F00FE5 .text C:\Windows\Explorer.EXE[1912] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 03F00FCA .text C:\Windows\Explorer.EXE[1912] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 03F000AE .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 03F80040 .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 03F80FAF .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 03F8000A .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 03F80F94 .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 03F80F83 .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 03F80FD4 .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 03F80FEF .text C:\Windows\Explorer.EXE[1912] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 03F8001B .text C:\Windows\Explorer.EXE[1912] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 040E0FB7 .text C:\Windows\Explorer.EXE[1912] msvcrt.dll!system 77878B63 5 Bytes JMP 040E0FC8 .text C:\Windows\Explorer.EXE[1912] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 040E002E .text C:\Windows\Explorer.EXE[1912] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 040E000C .text C:\Windows\Explorer.EXE[1912] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 040E0FE3 .text C:\Windows\Explorer.EXE[1912] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 040E001D .text C:\Windows\Explorer.EXE[1912] SHELL32.dll!InitNetworkAddressControl + 2939 7652006C 4 Bytes [50, 26, 00, 10] {PUSH EAX; ADD [ES:EAX], DL} .text C:\Windows\Explorer.EXE[1912] WININET.dll!InternetOpenA 771D0A4D 5 Bytes JMP 04090FEF .text C:\Windows\Explorer.EXE[1912] WININET.dll!InternetOpenUrlA 771D2713 5 Bytes JMP 04090014 .text C:\Windows\Explorer.EXE[1912] WININET.dll!InternetOpenW 771D30C8 5 Bytes JMP 04090FD4 .text C:\Windows\Explorer.EXE[1912] WININET.dll!InternetOpenUrlW 77228515 5 Bytes JMP 0409002F .text C:\Windows\Explorer.EXE[1912] WS2_32.dll!socket 764836D1 5 Bytes JMP 03FF0000 .text C:\Windows\Explorer.EXE[1912] WS2_32.dll!send 7648659B 6 Bytes PUSH 04583A90; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[2088] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 023A2180; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[2088] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 023A26B0; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[2088] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 023A2970; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[2088] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 023A2910; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[2088] WS2_32.dll!send 7648659B 6 Bytes PUSH 023A3A90; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[2320] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02DD2180; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[2320] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 02DD26B0; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[2320] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02DD2970; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[2320] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02DD2910; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[2320] WS2_32.dll!send 7648659B 6 Bytes PUSH 02DD3A90; RET .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2432] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2432] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2532] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 01A82180; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2532] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 01A826B0; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2532] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 01A82970; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2532] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 01A82910; RET .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 14] .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 14] .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 14] .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[2572] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00142910; RET .text C:\Windows\System32\rundll32.exe[2572] WS2_32.dll!send 7648659B 6 Bytes PUSH 00143A90; RET .text C:\Windows\RtHDVCpl.exe[2624] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02842180; RET .text C:\Windows\RtHDVCpl.exe[2624] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 028426B0; RET .text C:\Windows\RtHDVCpl.exe[2624] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02842970; RET .text C:\Windows\RtHDVCpl.exe[2624] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02842910; RET .text C:\Windows\RtHDVCpl.exe[2624] WS2_32.dll!send 7648659B 6 Bytes PUSH 02843A90; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2700] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 01A92180; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2700] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 01A926B0; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2700] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 01A92970; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2700] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 01A92910; RET .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 8A] .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 8A] .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 8A] .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Windows\PLFSetI.exe[2740] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 008A2910; RET .text C:\Program Files\Launch Manager\LManager.exe[2748] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 029B2180; RET .text C:\Program Files\Launch Manager\LManager.exe[2748] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 029B26B0; RET .text C:\Program Files\Launch Manager\LManager.exe[2748] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 029B2970; RET .text C:\Program Files\Launch Manager\LManager.exe[2748] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 029B2910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2764] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 03A02180; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2764] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 03A026B0; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2764] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 03A02970; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2764] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 03A02910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2764] WS2_32.dll!send 7648659B 6 Bytes PUSH 03A03A90; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2812] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 05932180; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2812] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 059326B0; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2812] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 05932970; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2812] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 05932910; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2812] WS2_32.dll!send 7648659B 6 Bytes PUSH 05933A90; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2876] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 01D02180; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2876] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 01D026B0; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2876] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 01D02970; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2876] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 01D02910; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2876] WS2_32.dll!send 7648659B 6 Bytes PUSH 01D03A90; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00142910; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[3056] WS2_32.dll!send 7648659B 6 Bytes PUSH 00143A90; RET .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 0018007D .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00180F37 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 001800A2 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 00180F0B .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00180051 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00180FA8 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00180036 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00180025 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 00180062 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00180F83 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 0018000A .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00180F52 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 001800C7 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00180FCA .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 00180FEF .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 00180FB9 .text C:\Windows\system32\svchost.exe[3136] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00180F1C .text C:\Windows\system32\svchost.exe[3136] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 008B0058 .text C:\Windows\system32\svchost.exe[3136] msvcrt.dll!system 77878B63 5 Bytes JMP 008B0033 .text C:\Windows\system32\svchost.exe[3136] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 008B0022 .text C:\Windows\system32\svchost.exe[3136] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 008B0000 .text C:\Windows\system32\svchost.exe[3136] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 008B0FC3 .text C:\Windows\system32\svchost.exe[3136] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 008B0011 .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 006E0FA5 .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 006E0036 .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 006E0FEF .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 006E0047 .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 006E006C .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 006E0025 .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 006E000A .text C:\Windows\system32\svchost.exe[3136] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 006E0FCA .text C:\Windows\system32\svchost.exe[3136] WS2_32.dll!socket 764836D1 5 Bytes JMP 008A0FEF .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3460] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 047C2180; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3460] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 047C26B0; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3460] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 047C2970; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3460] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 047C2910; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3460] WS2_32.dll!send 7648659B 6 Bytes PUSH 047C3A90; RET .text C:\Windows\system32\conime.exe[3500] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 04] .text C:\Windows\system32\conime.exe[3500] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Windows\system32\conime.exe[3500] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 04] .text C:\Windows\system32\conime.exe[3500] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Windows\system32\conime.exe[3500] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 04] .text C:\Windows\system32\conime.exe[3500] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Windows\system32\conime.exe[3500] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00042910; RET .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 000100BA .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 0001009F .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 000100DC .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 000100CB .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 0001007D .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00010FEF .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00010FAF .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00010FD4 .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 0001008E .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 0001006C .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 0001005B .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00010F7E .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 000100F7 .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 0001001B .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 0001000A .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 00010040 .text C:\Windows\system32\svchost.exe[3524] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00010F59 .text C:\Windows\system32\svchost.exe[3524] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00050055 .text C:\Windows\system32\svchost.exe[3524] msvcrt.dll!system 77878B63 5 Bytes JMP 00050FCA .text C:\Windows\system32\svchost.exe[3524] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00050FEF .text C:\Windows\system32\svchost.exe[3524] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00050000 .text C:\Windows\system32\svchost.exe[3524] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 00050044 .text C:\Windows\system32\svchost.exe[3524] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 0005001D .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00060F7C .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00060FA8 .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00060FE5 .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00060F97 .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 00060043 .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 00060FCA .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00060000 .text C:\Windows\system32\svchost.exe[3524] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 00060FB9 .text C:\Windows\system32\svchost.exe[3524] WS2_32.dll!socket 764836D1 5 Bytes JMP 003D0FE5 .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3672] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02BB2180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3672] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 02BB26B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3672] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02BB2970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3672] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02BB2910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3672] ws2_32.dll!send 7648659B 6 Bytes PUSH 02BB3A90; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3684] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 027E2180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3684] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 027E26B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3684] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 027E2970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3684] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 027E2910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3684] ws2_32.dll!send 7648659B 6 Bytes PUSH 027E3A90; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3700] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02442180; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3700] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 024426B0; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3700] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02442970; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3700] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02442910; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3700] ws2_32.dll!send 7648659B 6 Bytes PUSH 02443A90; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3908] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 01C22180; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3908] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 01C226B0; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3908] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 01C22970; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3908] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 01C22910; RET .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 000100B8 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 000100A7 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 000100E4 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 000100D3 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00010071 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 00010FD4 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00010F8D .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00010FB9 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 00010F7C .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00010F9E .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 00010040 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00010096 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 00010F32 .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00010FEF .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 0001000A .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 0001001B .text C:\Windows\System32\svchost.exe[3928] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00010F57 .text C:\Windows\System32\svchost.exe[3928] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 00050F92 .text C:\Windows\System32\svchost.exe[3928] msvcrt.dll!system 77878B63 5 Bytes JMP 00050FAD .text C:\Windows\System32\svchost.exe[3928] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00050FC8 .text C:\Windows\System32\svchost.exe[3928] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00050FEF .text C:\Windows\System32\svchost.exe[3928] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 0005001D .text C:\Windows\System32\svchost.exe[3928] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 0005000C .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00060062 .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00060036 .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00060000 .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00060047 .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 00060FA5 .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 00060FDB .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00060011 .text C:\Windows\System32\svchost.exe[3928] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 00060FCA .text D:\programy\winamp\winampa.exe[4184] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 013C2180; RET .text D:\programy\winamp\winampa.exe[4184] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 013C26B0; RET .text D:\programy\winamp\winampa.exe[4184] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 013C2970; RET .text D:\programy\winamp\winampa.exe[4184] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 013C2910; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4400] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 01A72180; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4400] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 01A726B0; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4400] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 01A72970; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4400] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 01A72910; RET .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, A6] .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, A6] .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, A6] .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[4420] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00A62910; RET .text C:\Windows\system32\wbem\unsecapp.exe[4420] WS2_32.dll!send 7648659B 6 Bytes PUSH 00A63A90; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 9A] .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 9A] .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 9A] .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Windows\WindowsMobile\wmdSync.exe[4608] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 009A2910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4608] WS2_32.dll!send 7648659B 6 Bytes PUSH 009A3A90; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 3B] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 3B] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 3B] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4624] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 003B2910; RET .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!GetStartupInfoW 75F31929 5 Bytes JMP 0001007F .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!GetStartupInfoA 75F319C9 5 Bytes JMP 00010F39 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreateProcessW 75F31C01 5 Bytes JMP 000100BC .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreateProcessA 75F31C36 5 Bytes JMP 000100A1 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!VirtualProtect 75F31DD1 5 Bytes JMP 00010F79 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreateNamedPipeW 75F35C44 5 Bytes JMP 0001001B .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!LoadLibraryExW 75F530C3 5 Bytes JMP 00010F8A .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!LoadLibraryW 75F5361F 5 Bytes JMP 00010036 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!VirtualProtectEx 75F58D7E 5 Bytes JMP 00010F54 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!LoadLibraryExA 75F59469 5 Bytes JMP 00010047 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!LoadLibraryA 75F59491 5 Bytes JMP 00010FAF .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreatePipe 75F60284 5 Bytes JMP 00010064 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!GetProcAddress 75F7B8B6 5 Bytes JMP 00010F14 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreateFileW 75F7CC4E 5 Bytes JMP 00010FDB .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreateFileA 75F7CF71 5 Bytes JMP 00010000 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!CreateNamedPipeA 75FC430E 5 Bytes JMP 00010FC0 .text C:\Windows\system32\svchost.exe[4648] kernel32.dll!WinExec 75FC54FF 5 Bytes JMP 00010090 .text C:\Windows\system32\svchost.exe[4648] msvcrt.dll!_wsystem 77878A47 5 Bytes JMP 0005002C .text C:\Windows\system32\svchost.exe[4648] msvcrt.dll!system 77878B63 5 Bytes JMP 00050FA1 .text C:\Windows\system32\svchost.exe[4648] msvcrt.dll!_creat 7787C6F1 5 Bytes JMP 00050011 .text C:\Windows\system32\svchost.exe[4648] msvcrt.dll!_open 7787DA7E 5 Bytes JMP 00050000 .text C:\Windows\system32\svchost.exe[4648] msvcrt.dll!_wcreat 7787DC9E 5 Bytes JMP 00050FC6 .text C:\Windows\system32\svchost.exe[4648] msvcrt.dll!_wopen 7787DE79 5 Bytes JMP 00050FE3 .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegCreateKeyExA 763CB5E7 5 Bytes JMP 00060062 .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegCreateKeyA 763CB8AE 5 Bytes JMP 00060036 .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegOpenKeyA 763D0BF5 5 Bytes JMP 00060FE5 .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegCreateKeyW 763DB83D 5 Bytes JMP 00060047 .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegCreateKeyExW 763DBCE1 5 Bytes JMP 0006007D .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegOpenKeyExA 763DD4E8 5 Bytes JMP 0006000A .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegOpenKeyW 763E3CB0 5 Bytes JMP 00060FD4 .text C:\Windows\system32\svchost.exe[4648] ADVAPI32.dll!RegOpenKeyExW 763EF09D 5 Bytes JMP 00060025 .text C:\Windows\system32\svchost.exe[4648] WS2_32.dll!socket 764836D1 5 Bytes JMP 0007000A .text C:\Program Files\Windows Sidebar\sidebar.exe[4680] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02DE2180; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4680] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 02DE26B0; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4680] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02DE2970; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4680] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02DE2910; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4680] WS2_32.dll!send 7648659B 6 Bytes PUSH 02DE3A90; RET .text C:\Program Files\uTorrent\uTorrent.exe[4744] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 031F2180; RET .text C:\Program Files\uTorrent\uTorrent.exe[4744] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 031F26B0; RET .text C:\Program Files\uTorrent\uTorrent.exe[4744] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 031F2970; RET .text C:\Program Files\uTorrent\uTorrent.exe[4744] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 031F2910; RET .text C:\Program Files\uTorrent\uTorrent.exe[4744] WS2_32.dll!send 7648659B 6 Bytes PUSH 031F3A90; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 03012180; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 030126B0; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 03012970; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 03012910; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] USER32.dll!IsZoomed + 80 76020731 7 Bytes JMP 00185CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] USER32.dll!GetClassLongW + 529 76021EB5 7 Bytes JMP 00185C60 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] USER32.dll!DdeUninitialize + 360 760402A5 7 Bytes JMP 00185CD0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4768] WS2_32.dll!send 7648659B 6 Bytes PUSH 03013A90; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 89] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 89] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 89] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00892910; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5048] WS2_32.dll!send 7648659B 6 Bytes PUSH 00893A90; RET .text C:\Windows\System32\rundll32.exe[5060] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 023C2180; RET .text C:\Windows\System32\rundll32.exe[5060] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 023C26B0; RET .text C:\Windows\System32\rundll32.exe[5060] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 023C2970; RET .text C:\Windows\System32\rundll32.exe[5060] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 023C2910; RET .text C:\Windows\System32\rundll32.exe[5060] WS2_32.dll!send 7648659B 6 Bytes PUSH 023C3A90; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5076] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 05562180; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5076] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 055626B0; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5076] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 05562970; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5076] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 05562910; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5076] WS2_32.dll!send 7648659B 6 Bytes PUSH 05563A90; RET .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 0C] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 0C] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 0C] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 000C2910; RET .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5104] WS2_32.dll!send 7648659B 6 Bytes PUSH 000C3A90; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5116] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 015A2180; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5116] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 015A26B0; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5116] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 015A2970; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5116] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 015A2910; RET .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 09] .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 09] .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 09] .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Program Files\Java\jre7\bin\javaw.exe[5200] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00092910; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5240] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 025A2180; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5240] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 025A26B0; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5240] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 025A2970; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5240] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 025A2910; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5408] ntdll.dll!NtQueryDirectoryFile 77718658 6 Bytes PUSH 02282180; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5408] ntdll.dll!NtResumeThread 77718A58 6 Bytes PUSH 022826B0; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5408] ntdll.dll!NtSetValueKey 77718CF8 6 Bytes PUSH 02282970; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5408] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 02282910; RET .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 1A] .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 1A] .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 1A] .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[5684] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 001A2910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00152910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[6084] WS2_32.dll!send 7648659B 6 Bytes PUSH 00153A90; RET .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!NtQueryDirectoryFile 77718658 4 Bytes [68, 80, 21, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!NtQueryDirectoryFile + 5 7771865D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!NtResumeThread 77718A58 4 Bytes [68, B0, 26, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!NtResumeThread + 5 77718A5D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!NtSetValueKey 77718CF8 4 Bytes [68, 70, 29, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!NtSetValueKey + 5 77718CFD 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6108] ntdll.dll!DbgUiRemoteBreakin 7774D50C 7 Bytes PUSH 00152910; RET ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74448864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74489855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7444B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7443FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74447A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7443EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7447B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7444BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74440756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744406BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744371B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [744CD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74467329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7443E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7443697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744369A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74442475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1912] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 8455B860 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----