GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-15 01:15:44 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: tspx2j2j.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pxrdafoc.sys ---- System - GMER 2.1 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F06C98E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F06C928] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F06C93C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F06C9CC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8F06CA0F] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F06C900] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F06C914] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F06C9A2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8F06CA37] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8F06CA23] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F06C97A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F06C966] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F06C9FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F06C9E2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F06C9B8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F06C952] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwYieldExecution 820721A0 5 Bytes JMP 8F06C9BC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8220C1CD 5 Bytes JMP 8F06CA13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 82213E26 5 Bytes JMP 8F06C956 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 8222E2F0 5 Bytes JMP 8F06C9FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 8224D57A 5 Bytes JMP 8F06C918 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 8225CEF2 5 Bytes JMP 8F06C904 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 8226FAFE 7 Bytes JMP 8F06C9D0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82270155 5 Bytes JMP 8F06C9E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 82272366 5 Bytes JMP 8F06C992 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 8227FA24 5 Bytes JMP 8F06C96A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82281C7E 7 Bytes JMP 8F06C9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwRestoreKey 822A0982 5 Bytes JMP 8F06CA27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwReplaceKey 822A19CE 5 Bytes JMP 8F06CA3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 822DF72B 5 Bytes JMP 8F06C92C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 822DF776 7 Bytes JMP 8F06C940 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 822E0233 5 Bytes JMP 8F06C97E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DC06340, 0x3D7A87, 0xE8000020] C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xA23D441C] .clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xA23D5000, 0x1000, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[448] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01BC2180; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[448] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01BC26B0; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[448] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01BC2970; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[448] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01BC2910; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[536] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02352180; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[536] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 023526B0; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[536] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02352970; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[536] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02352910; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[536] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02353A90; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[620] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 018E2180; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[620] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 018E26B0; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[620] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 018E2970; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[620] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 018E2910; RET .text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 002B0F6F .text C:\Windows\system32\services.exe[668] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 002B0F8A .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 002B0F28 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 002B0F39 .text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 002B0F9B .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 002B0036 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 002B0073 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 002B0FC0 .text C:\Windows\system32\services.exe[668] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 002B0090 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 002B0062 .text C:\Windows\system32\services.exe[668] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 002B0047 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 002B00AB .text C:\Windows\system32\services.exe[668] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 002B00E4 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 002B0000 .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 002B0FEF .text C:\Windows\system32\services.exe[668] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 002B001B .text C:\Windows\system32\services.exe[668] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 002B0F5E .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00180069 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 0018003D .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00180000 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 0018004E .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00180FA2 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 0018001B .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00180FE5 .text C:\Windows\system32\services.exe[668] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 0018002C .text C:\Windows\system32\services.exe[668] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 002C0FB9 .text C:\Windows\system32\services.exe[668] msvcrt.dll!system 77298B63 5 Bytes JMP 002C0FCA .text C:\Windows\system32\services.exe[668] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 002C0029 .text C:\Windows\system32\services.exe[668] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 002C0FEF .text C:\Windows\system32\services.exe[668] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 002C003A .text C:\Windows\system32\services.exe[668] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 002C0018 .text C:\Windows\system32\services.exe[668] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00170000 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 002100CE .text C:\Windows\system32\lsass.exe[680] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 002100B3 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 00210F41 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 00210F52 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00210084 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00210036 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00210073 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 00210FCA .text C:\Windows\system32\lsass.exe[680] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00210F99 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00210062 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00210051 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreatePipe 76070284 1 Byte [E9] .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00210F88 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 002100FD .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 0021001B .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00210000 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00210FEF .text C:\Windows\system32\lsass.exe[680] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 00210F63 .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00200FCA .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 0020005B .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00200FEF .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00200076 .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00200087 .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 0020002F .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00200014 .text C:\Windows\system32\lsass.exe[680] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 0020004A .text C:\Windows\system32\lsass.exe[680] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 01480049 .text C:\Windows\system32\lsass.exe[680] msvcrt.dll!system 77298B63 5 Bytes JMP 01480FBE .text C:\Windows\system32\lsass.exe[680] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 01480FE3 .text C:\Windows\system32\lsass.exe[680] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 01480000 .text C:\Windows\system32\lsass.exe[680] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 0148002E .text C:\Windows\system32\lsass.exe[680] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 0148001D .text C:\Windows\system32\lsass.exe[680] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 001F000A .text C:\Windows\system32\taskeng.exe[740] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02652180; RET .text C:\Windows\system32\taskeng.exe[740] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 026526B0; RET .text C:\Windows\system32\taskeng.exe[740] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02652970; RET .text C:\Windows\system32\taskeng.exe[740] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02652910; RET .text C:\Windows\system32\taskeng.exe[740] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02653A90; RET .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 003100B5 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 003100A4 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 003100EB .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 003100DA .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 0031006E .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 0031000A .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00310051 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 00310036 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00310F79 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00310F94 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 0031001B .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00310093 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 00310106 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 00310FD4 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00310FEF .text C:\Windows\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00310FB9 .text C:\Windows\system32\svchost.exe[864] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 00310F5E .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 00540FDB .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!system 77298B63 5 Bytes JMP 00540066 .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 0054003A .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 0054000C .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 0054004B .text C:\Windows\system32\svchost.exe[864] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 00540029 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00300FA5 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00300FC0 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00300FEF .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00300047 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00300062 .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 0030001B .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 0030000A .text C:\Windows\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00300036 .text C:\Windows\system32\svchost.exe[864] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 002F0FEF .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 006A00A7 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 006A0F61 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 006A0F24 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 006A0F35 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 006A0F8D .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 006A0025 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 006A0F9E .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 006A0FB9 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 006A0F7C .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 006A005B .text C:\Windows\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 006A0040 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 006A008C .text C:\Windows\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 006A0F13 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 006A0FDE .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 006A0FEF .text C:\Windows\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 006A0014 .text C:\Windows\system32\svchost.exe[940] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 006A0F46 .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 006B0F9C .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!system 77298B63 5 Bytes JMP 006B0FAD .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 006B001D .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 006B0FEF .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 006B0FC8 .text C:\Windows\system32\svchost.exe[940] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 006B000C .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00680F8A .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00680FC0 .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00680000 .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00680F9B .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00680F79 .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00680FDB .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00680011 .text C:\Windows\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 0068002C .text C:\Windows\system32\svchost.exe[940] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00670FEF .text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00760F55 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 0076009B .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 00760F1F .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 007600AC .text C:\Windows\System32\svchost.exe[996] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00760F8B .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00760025 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00760FA8 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 00760040 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00760F7A .text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 0076005B .text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00760FB9 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00760080 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 00760F04 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 00760FD4 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00760FEF .text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00760014 .text C:\Windows\System32\svchost.exe[996] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 00760F3A .text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 00770FAB .text C:\Windows\System32\svchost.exe[996] msvcrt.dll!system 77298B63 5 Bytes JMP 00770036 .text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 00770011 .text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 00770000 .text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 00770FBC .text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 00770FD7 .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00710076 .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 0071004A .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00710000 .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 0071005B .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00710FC3 .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00710025 .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00710FE5 .text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00710FD4 .text C:\Windows\System32\svchost.exe[996] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00610FEF .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 01620F6C .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 016200B2 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 016200E8 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 016200D7 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 01620086 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 01620FC0 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 01620075 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 01620047 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 01620F91 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 01620058 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 0162002C .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 01620097 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 016200F9 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 01620011 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 01620000 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 01620FD1 .text C:\Windows\System32\svchost.exe[1020] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 01620F5B .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 017B0F9C .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!system 77298B63 5 Bytes JMP 017B0FAD .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 017B0FD2 .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 017B0000 .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 017B0027 .text C:\Windows\System32\svchost.exe[1020] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 017B0FE3 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 01610FCA .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 0161005B .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 0161000A .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 0161006C .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 01610FB9 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 01610040 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 01610025 .text C:\Windows\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 01610FE5 .text C:\Windows\System32\svchost.exe[1020] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 011A0000 .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[1028] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02902180; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[1028] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 029026B0; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[1028] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02902970; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[1028] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02902910; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[1028] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02903A90; RET .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 010A0F21 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 010A0F32 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 010A0EF2 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 010A0089 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 010A005D .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 010A0FC3 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 010A004C .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 010A0F8D .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 010A0F68 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 010A002F .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 010A0FB2 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 010A0F43 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 010A009A .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 010A0FEF .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 010A0000 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 010A0FD4 .text C:\Windows\system32\svchost.exe[1032] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 010A0078 .text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 010B0F7C .text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!system 77298B63 5 Bytes JMP 010B0011 .text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 010B0FBC .text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 010B0000 .text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 010B0FA1 .text C:\Windows\system32\svchost.exe[1032] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 010B0FE3 .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 0105006C .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 01050FD4 .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 0105000A .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 0105005B .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 01050091 .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 01050025 .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 01050FEF .text C:\Windows\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 01050036 .text C:\Windows\system32\svchost.exe[1032] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00DE0FEF .text C:\Windows\PLFSetI.exe[1144] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01B82180; RET .text C:\Windows\PLFSetI.exe[1144] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01B826B0; RET .text C:\Windows\PLFSetI.exe[1144] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01B82970; RET .text C:\Windows\PLFSetI.exe[1144] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01B82910; RET .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00AA00B6 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00AA0F70 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 00AA00D1 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 76041C36 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 00AA0F3A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00AA0065 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00AA001E .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00AA004A .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 00AA0FA8 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00AA0076 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00AA0F8D .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00AA002F .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00AA009B .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 00AA00E2 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 00AA0FDE .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00AA0FEF .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00AA0FC3 .text C:\Windows\system32\svchost.exe[1328] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 00AA0F5F .text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 00AC0047 .text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!system 77298B63 5 Bytes JMP 00AC0FBC .text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 00AC0011 .text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 00AC0FE3 .text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 00AC002C .text C:\Windows\system32\svchost.exe[1328] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 00AC0000 .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00620054 .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 1 Byte [E9] .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00620FB2 .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00620000 .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00620043 .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00620FA1 .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00620FDE .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00620FEF .text C:\Windows\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00620FC3 .text C:\Windows\system32\svchost.exe[1328] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00340FEF .text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenA 76440A4D 5 Bytes JMP 00AB000A .text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenUrlA 76442713 5 Bytes JMP 00AB0FE5 .text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenW 764430C8 5 Bytes JMP 00AB001B .text C:\Windows\system32\svchost.exe[1328] WinInet.dll!InternetOpenUrlW 76498515 5 Bytes JMP 00AB0FCA .text C:\Windows\RtHDVCpl.exe[1424] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01FE2180; RET .text C:\Windows\RtHDVCpl.exe[1424] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01FE26B0; RET .text C:\Windows\RtHDVCpl.exe[1424] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01FE2970; RET .text C:\Windows\RtHDVCpl.exe[1424] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01FE2910; RET .text C:\Windows\RtHDVCpl.exe[1424] WS2_32.dll!send 75EF659B 6 Bytes PUSH 01FE3A90; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00152910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[1432] WS2_32.dll!send 75EF659B 6 Bytes PUSH 00153A90; RET .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 90] .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 90] .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 90] .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[1456] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00902910; RET .text C:\Windows\System32\rundll32.exe[1456] WS2_32.dll!send 75EF659B 6 Bytes PUSH 00903A90; RET .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00590F46 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00590F57 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 005900B8 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 00590F2B .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00590F9E .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00590040 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00590FAF .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 0059006C .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00590F83 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00590FCA .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00590051 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00590F72 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 00590F06 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 00590FE5 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00590000 .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 0059001B .text C:\Windows\system32\svchost.exe[1552] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 005900A7 .text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 005E006E .text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!system 77298B63 5 Bytes JMP 005E0FE3 .text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 005E0038 .text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 005E0000 .text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 005E0049 .text C:\Windows\system32\svchost.exe[1552] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 005E0011 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00580F68 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00580F94 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00580FE5 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00580F83 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00580025 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00580000 .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00580FCA .text C:\Windows\system32\svchost.exe[1552] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00580FAF .text C:\Windows\system32\svchost.exe[1552] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00560FEF .text C:\Windows\system32\Dwm.exe[1744] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02762180; RET .text C:\Windows\system32\Dwm.exe[1744] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 027626B0; RET .text C:\Windows\system32\Dwm.exe[1744] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02762970; RET .text C:\Windows\system32\Dwm.exe[1744] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02762910; RET .text C:\Windows\system32\Dwm.exe[1744] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02763A90; RET .text C:\Windows\Explorer.EXE[1780] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 03F82180; RET .text C:\Windows\Explorer.EXE[1780] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 03F826B0; RET .text C:\Windows\Explorer.EXE[1780] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 03F82970; RET .text C:\Windows\Explorer.EXE[1780] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 03F82910; RET .text C:\Windows\Explorer.EXE[1780] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 04020F94 .text C:\Windows\Explorer.EXE[1780] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 0402009A .text C:\Windows\Explorer.EXE[1780] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 04020FC0 .text C:\Windows\Explorer.EXE[1780] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 04020058 .text C:\Windows\Explorer.EXE[1780] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 040200BF .text C:\Windows\Explorer.EXE[1780] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 0402007D .text C:\Windows\Explorer.EXE[1780] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 04020047 .text C:\Windows\Explorer.EXE[1780] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 04020FA5 .text C:\Windows\Explorer.EXE[1780] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 04020F39 .text C:\Windows\Explorer.EXE[1780] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 04020025 .text C:\Windows\Explorer.EXE[1780] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 03FF0F9E .text C:\Windows\Explorer.EXE[1780] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 03FF0000 .text C:\Windows\Explorer.EXE[1780] SHELL32.dll!InitNetworkAddressControl + 2939 766A006C 4 Bytes [50, 26, 00, 10] {PUSH EAX; ADD [ES:EAX], DL} .text C:\Windows\Explorer.EXE[1780] WININET.dll!InternetOpenUrlW 76498515 5 Bytes JMP 04040FC0 .text C:\Windows\Explorer.EXE[1780] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 03FE0000 .text C:\Windows\Explorer.EXE[1780] WS2_32.dll!send 75EF659B 6 Bytes PUSH 03F83A90; RET .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 016B0093 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 016B0F57 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 016B00BF .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 016B00AE .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 016B0F7C .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 016B0FA8 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 016B0054 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 016B001E .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 016B0071 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 016B0039 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 016B0F97 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 016B0082 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 016B00E4 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 016B0FD4 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 016B0FE5 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 016B0FC3 .text C:\Windows\system32\svchost.exe[1908] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 016B0F32 .text C:\Windows\system32\svchost.exe[1908] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 016C0036 .text C:\Windows\system32\svchost.exe[1908] msvcrt.dll!system 77298B63 5 Bytes JMP 016C0FA1 .text C:\Windows\system32\svchost.exe[1908] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 016C0FCD .text C:\Windows\system32\svchost.exe[1908] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 016C0FEF .text C:\Windows\system32\svchost.exe[1908] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 016C0FBC .text C:\Windows\system32\svchost.exe[1908] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 016C0FDE .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 01660FC0 .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 01660051 .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 01660FE5 .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 0166006C .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 01660FAF .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 0166001B .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 0166000A .text C:\Windows\system32\svchost.exe[1908] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 01660036 .text C:\Program Files\Launch Manager\LManager.exe[2260] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02AB2180; RET .text C:\Program Files\Launch Manager\LManager.exe[2260] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 02AB26B0; RET .text C:\Program Files\Launch Manager\LManager.exe[2260] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02AB2970; RET .text C:\Program Files\Launch Manager\LManager.exe[2260] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02AB2910; RET .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2396] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2396] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\ProgramData\DatacardService\DCSHelper.exe[2500] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01B02180; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2500] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01B026B0; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2500] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01B02970; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2500] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01B02910; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2616] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02472180; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2616] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 024726B0; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2616] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02472970; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2616] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02472910; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2616] ws2_32.dll!send 75EF659B 6 Bytes PUSH 02473A90; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2620] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 03B12180; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2620] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 03B126B0; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2620] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 03B12970; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2620] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 03B12910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[2620] WS2_32.dll!send 75EF659B 6 Bytes PUSH 03B13A90; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[2628] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 015B2180; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[2628] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 015B26B0; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[2628] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 015B2970; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[2628] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 015B2910; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[2628] WS2_32.dll!send 75EF659B 6 Bytes PUSH 015B3A90; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2728] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01D72180; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2728] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01D726B0; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2728] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01D72970; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2728] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01D72910; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[2728] WS2_32.dll!send 75EF659B 6 Bytes PUSH 01D73A90; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2872] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02BA2180; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2872] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 02BA26B0; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2872] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02BA2970; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2872] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02BA2910; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[2872] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02BA3A90; RET .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 00680F3F .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00680085 .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 00680F1D .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 00680F2E .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00680F75 .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00680FB9 .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00680F86 .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 0068002F .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 0068006A .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00680F97 .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00680FA8 .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00680F5A .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 006800CF .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 0068000A .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00680FEF .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00680FCA .text C:\Windows\system32\svchost.exe[2992] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 006800A0 .text C:\Windows\system32\svchost.exe[2992] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 0069005A .text C:\Windows\system32\svchost.exe[2992] msvcrt.dll!system 77298B63 5 Bytes JMP 00690049 .text C:\Windows\system32\svchost.exe[2992] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 0069001D .text C:\Windows\system32\svchost.exe[2992] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 00690FEF .text C:\Windows\system32\svchost.exe[2992] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 00690038 .text C:\Windows\system32\svchost.exe[2992] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 0069000C .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 0067006C .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00670FE5 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 0067000A .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00670FD4 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 0067007D .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00670036 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00670025 .text C:\Windows\system32\svchost.exe[2992] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00670051 .text C:\Windows\system32\svchost.exe[2992] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 00660FEF .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 003D0FB4 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 003D00FA .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 003D0129 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 003D0F92 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 003D00A9 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 003D0040 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 003D0098 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 003D006C .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 003D00C4 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 003D0087 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 003D005B .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 003D00DF .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 003D0144 .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 003D001B .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 003D000A .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 003D0FEF .text C:\Windows\system32\svchost.exe[3268] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 003D0FA3 .text C:\Windows\system32\svchost.exe[3268] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 003E0F90 .text C:\Windows\system32\svchost.exe[3268] msvcrt.dll!system 77298B63 5 Bytes JMP 003E001B .text C:\Windows\system32\svchost.exe[3268] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 003E0FAB .text C:\Windows\system32\svchost.exe[3268] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 003E0FEF .text C:\Windows\system32\svchost.exe[3268] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 003E0000 .text C:\Windows\system32\svchost.exe[3268] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 003E0FC6 .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 00350047 .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00350025 .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00350FEF .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00350036 .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 00350F8A .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00350FC3 .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00350FDE .text C:\Windows\system32\svchost.exe[3268] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00350014 .text C:\Windows\system32\svchost.exe[3268] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 002E0000 .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3620] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 05902180; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3620] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 059026B0; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3620] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 05902970; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3620] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 05902910; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3620] WS2_32.dll!send 75EF659B 6 Bytes PUSH 05903A90; RET .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 000100BA .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 00010F74 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 000100D5 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 00010F48 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00010095 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00010036 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00010084 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 00010058 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00010FA0 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00010073 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00010047 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00010F8F .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 00010F23 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 0001001B .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00010000 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00010FE5 .text C:\Windows\System32\svchost.exe[3800] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 00010F59 .text C:\Windows\System32\svchost.exe[3800] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 00050FCD .text C:\Windows\System32\svchost.exe[3800] msvcrt.dll!system 77298B63 5 Bytes JMP 0005004E .text C:\Windows\System32\svchost.exe[3800] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 00050022 .text C:\Windows\System32\svchost.exe[3800] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 00050000 .text C:\Windows\System32\svchost.exe[3800] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 00050033 .text C:\Windows\System32\svchost.exe[3800] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 00050011 .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 0006001E .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 00060FA1 .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 00060FEF .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 00060F86 .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 0006002F .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 00060FC3 .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 00060FD4 .text C:\Windows\System32\svchost.exe[3800] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 00060FB2 .text C:\Windows\System32\svchost.exe[3800] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 003E0FE5 .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3808] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01CB2180; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3808] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01CB26B0; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3808] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01CB2970; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3808] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01CB2910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3844] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02502180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3844] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 025026B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3844] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02502970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3844] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02502910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3844] ws2_32.dll!send 75EF659B 6 Bytes PUSH 02503A90; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[4064] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02222180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[4064] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 022226B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[4064] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02222970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[4064] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02222910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[4064] ws2_32.dll!send 75EF659B 6 Bytes PUSH 02223A90; RET .text D:\programy\winamp\winampa.exe[4156] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01972180; RET .text D:\programy\winamp\winampa.exe[4156] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 019726B0; RET .text D:\programy\winamp\winampa.exe[4156] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01972970; RET .text D:\programy\winamp\winampa.exe[4156] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01972910; RET .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 99] .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 99] .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 99] .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[4188] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00992910; RET .text C:\Windows\system32\wbem\unsecapp.exe[4188] WS2_32.dll!send 75EF659B 6 Bytes PUSH 00993A90; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4236] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02992180; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4236] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 029926B0; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4236] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02992970; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[4236] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02992910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4348] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01B62180; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4348] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01B626B0; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4348] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01B62970; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4348] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01B62910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[4348] WS2_32.dll!send 75EF659B 6 Bytes PUSH 01B63A90; RET .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!GetStartupInfoW 76041929 5 Bytes JMP 0001007B .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!GetStartupInfoA 760419C9 5 Bytes JMP 0001006A .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreateProcessW 76041C01 5 Bytes JMP 000100A0 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreateProcessA 76041C36 5 Bytes JMP 00010EFF .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!VirtualProtect 76041DD1 5 Bytes JMP 00010F64 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreateNamedPipeW 76045C44 5 Bytes JMP 00010FC3 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!LoadLibraryExW 760630C3 5 Bytes JMP 00010F75 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!LoadLibraryW 7606361F 5 Bytes JMP 00010F97 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!VirtualProtectEx 76068D7E 5 Bytes JMP 00010F49 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!LoadLibraryExA 76069469 5 Bytes JMP 00010F86 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!LoadLibraryA 76069491 5 Bytes JMP 00010FA8 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreatePipe 76070284 5 Bytes JMP 00010059 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!GetProcAddress 7608B8B6 5 Bytes JMP 000100BB .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreateFileW 7608CC4E 5 Bytes JMP 00010000 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreateFileA 7608CF71 5 Bytes JMP 00010FE5 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!CreateNamedPipeA 760D430E 5 Bytes JMP 00010FD4 .text C:\Windows\system32\svchost.exe[4560] kernel32.dll!WinExec 760D54FF 5 Bytes JMP 00010F1A .text C:\Windows\system32\svchost.exe[4560] msvcrt.dll!_wsystem 77298A47 5 Bytes JMP 00050053 .text C:\Windows\system32\svchost.exe[4560] msvcrt.dll!system 77298B63 5 Bytes JMP 00050042 .text C:\Windows\system32\svchost.exe[4560] msvcrt.dll!_creat 7729C6F1 5 Bytes JMP 0005000C .text C:\Windows\system32\svchost.exe[4560] msvcrt.dll!_open 7729DA7E 5 Bytes JMP 00050FE3 .text C:\Windows\system32\svchost.exe[4560] msvcrt.dll!_wcreat 7729DC9E 5 Bytes JMP 00050027 .text C:\Windows\system32\svchost.exe[4560] msvcrt.dll!_wopen 7729DE79 5 Bytes JMP 00050FD2 .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegCreateKeyExA 75F8B5E7 5 Bytes JMP 000A0065 .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegCreateKeyA 75F8B8AE 5 Bytes JMP 000A004A .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegOpenKeyA 75F90BF5 5 Bytes JMP 000A000A .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegCreateKeyW 75F9B83D 5 Bytes JMP 000A0FC3 .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegCreateKeyExW 75F9BCE1 5 Bytes JMP 000A0080 .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegOpenKeyExA 75F9D4E8 5 Bytes JMP 000A0FEF .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegOpenKeyW 75FA3CB0 5 Bytes JMP 000A001B .text C:\Windows\system32\svchost.exe[4560] ADVAPI32.dll!RegOpenKeyExW 75FAF09D 5 Bytes JMP 000A0FDE .text C:\Windows\system32\svchost.exe[4560] WS2_32.dll!socket 75EF36D1 5 Bytes JMP 000B0000 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 93] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 93] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 93] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[4572] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00932910; RET .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 0E] .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 0E] .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 0E] .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Windows\system32\wermgr.exe[4704] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 000E2910; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4748] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02802180; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4748] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 028026B0; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4748] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02802970; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4748] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02802910; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4748] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02803A90; RET .text C:\Program Files\uTorrent\uTorrent.exe[4920] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02C72180; RET .text C:\Program Files\uTorrent\uTorrent.exe[4920] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 02C726B0; RET .text C:\Program Files\uTorrent\uTorrent.exe[4920] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02C72970; RET .text C:\Program Files\uTorrent\uTorrent.exe[4920] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02C72910; RET .text C:\Program Files\uTorrent\uTorrent.exe[4920] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02C73A90; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 02802180; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 028026B0; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 02802970; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 02802910; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] USER32.dll!IsZoomed + 80 76180731 7 Bytes JMP 00085CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] USER32.dll!GetClassLongW + 529 76181EB5 7 Bytes JMP 00085C60 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] USER32.dll!DdeUninitialize + 360 761A02A5 7 Bytes JMP 00085CD0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4936] WS2_32.dll!send 75EF659B 6 Bytes PUSH 02803A90; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, CB] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, CB] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, CB] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00CB2910; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[5120] WS2_32.dll!send 75EF659B 6 Bytes PUSH 00CB3A90; RET .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, C7] .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, C7] .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, C7] .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Windows\System32\rundll32.exe[5204] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00C72910; RET .text C:\Windows\System32\rundll32.exe[5204] WS2_32.dll!send 75EF659B 6 Bytes PUSH 00C73A90; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5252] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 05632180; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5252] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 056326B0; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5252] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 05632970; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5252] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 05632910; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[5252] WS2_32.dll!send 75EF659B 6 Bytes PUSH 05633A90; RET .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 83] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 83] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 83] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00832910; RET .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[5296] WS2_32.dll!send 75EF659B 6 Bytes PUSH 00833A90; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 5C] .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 5C] .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 5C] .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[5312] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 005C2910; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5320] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 014D2180; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5320] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 014D26B0; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5320] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 014D2970; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[5320] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 014D2910; RET .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!NtQueryDirectoryFile 77528658 4 Bytes [68, 80, 21, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!NtQueryDirectoryFile + 5 7752865D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!NtResumeThread 77528A58 4 Bytes [68, B0, 26, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!NtResumeThread + 5 77528A5D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!NtSetValueKey 77528CF8 4 Bytes [68, 70, 29, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!NtSetValueKey + 5 77528CFD 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[5576] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 00152910; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[6068] ntdll.dll!NtQueryDirectoryFile 77528658 6 Bytes PUSH 01DA2180; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[6068] ntdll.dll!NtResumeThread 77528A58 6 Bytes PUSH 01DA26B0; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[6068] ntdll.dll!NtSetValueKey 77528CF8 6 Bytes PUSH 01DA2970; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[6068] ntdll.dll!DbgUiRemoteBreakin 7755D50C 7 Bytes PUSH 01DA2910; RET ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743D8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74419855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [743DB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743CFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743D7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743CEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7440B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [743DBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743D0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743D06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743C71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7445D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [743F7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743CE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743C697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743C69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [743D2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1780] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- Threads - GMER 2.1 ---- Thread System [4:4016] A23EC8C8 Thread System [4:4020] A23EC8C8 ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84541D90 ---- Threads - GMER 2.1 ---- Thread [4:4016] A23EC8C8 Thread [4:4020] A23EC8C8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----