GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-15 08:08:20 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: tspx2j2j.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pxrdafoc.sys ---- System - GMER 2.1 ---- Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8F07098E] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8F070928] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8F07093C] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8F0709CC] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8F070900] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8F070914] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8F0709A2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8F07097A] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8F070966] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8F0709FB] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8F0709E2] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8F0709B8] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8F070952] Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwYieldExecution 820681A0 5 Bytes JMP 8F0709BC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateUserProcess 82209E26 5 Bytes JMP 8F070956 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwTerminateProcess 822242F0 5 Bytes JMP 8F0709FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenThread 8224357A 5 Bytes JMP 8F070918 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtOpenProcess 82252EF2 5 Bytes JMP 8F070904 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtMapViewOfSection 82265AFE 7 Bytes JMP 8F0709D0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82266155 5 Bytes JMP 8F0709E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtCreateFile 82268366 5 Bytes JMP 8F070992 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!NtSetInformationProcess 82275A24 5 Bytes JMP 8F07096A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82277C7E 7 Bytes JMP 8F0709A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcess 822D572B 5 Bytes JMP 8F07092C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwCreateProcessEx 822D5776 7 Bytes JMP 8F070940 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) PAGE ntkrnlpa.exe!ZwSetContextThread 822D6233 5 Bytes JMP 8F07097E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DA0B340, 0x3D7A87, 0xE8000020] C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xA4D3141C] .clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xA4D32000, 0x1000, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\PLFSetI.exe[280] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01AB2180; RET .text C:\Windows\PLFSetI.exe[280] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01AB26B0; RET .text C:\Windows\PLFSetI.exe[280] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01AB2970; RET .text C:\Windows\PLFSetI.exe[280] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01AB2910; RET .text C:\Program Files\Launch Manager\LManager.exe[376] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02B72180; RET .text C:\Program Files\Launch Manager\LManager.exe[376] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 02B726B0; RET .text C:\Program Files\Launch Manager\LManager.exe[376] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02B72970; RET .text C:\Program Files\Launch Manager\LManager.exe[376] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02B72910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[452] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02D72180; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[452] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 02D726B0; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[452] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02D72970; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[452] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02D72910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[452] WS2_32.dll!send 75F7659B 6 Bytes PUSH 02D73A90; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[660] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 015E2180; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[660] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 015E26B0; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[660] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 015E2970; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[660] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 015E2910; RET .text C:\Windows\system32\services.exe[692] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 001C00B2 .text C:\Windows\system32\services.exe[692] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 001C00A1 .text C:\Windows\system32\services.exe[692] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 001C0F2F .text C:\Windows\system32\services.exe[692] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 001C0F4A .text C:\Windows\system32\services.exe[692] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 001C0F91 .text C:\Windows\system32\services.exe[692] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 001C002C .text C:\Windows\system32\services.exe[692] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 001C0FA2 .text C:\Windows\system32\services.exe[692] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 001C004E .text C:\Windows\system32\services.exe[692] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 001C0086 .text C:\Windows\system32\services.exe[692] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 001C005F .text C:\Windows\system32\services.exe[692] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 001C003D .text C:\Windows\system32\services.exe[692] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 001C0F76 .text C:\Windows\system32\services.exe[692] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 001C0F1E .text C:\Windows\system32\services.exe[692] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 001C0FDB .text C:\Windows\system32\services.exe[692] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 001C0000 .text C:\Windows\system32\services.exe[692] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 001C0011 .text C:\Windows\system32\services.exe[692] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 001C0F5B .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00770033 .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00770011 .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00770FE5 .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00770022 .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 00770F80 .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 00770FCA .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00770000 .text C:\Windows\system32\services.exe[692] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00770FAF .text C:\Windows\system32\services.exe[692] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00780FAD .text C:\Windows\system32\services.exe[692] msvcrt.dll!system 76918B63 5 Bytes JMP 00780FC8 .text C:\Windows\system32\services.exe[692] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 00780FD9 .text C:\Windows\system32\services.exe[692] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00780000 .text C:\Windows\system32\services.exe[692] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 0078002E .text C:\Windows\system32\services.exe[692] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00780011 .text C:\Windows\system32\services.exe[692] WS2_32.dll!socket 75F736D1 5 Bytes JMP 001B0FE5 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 000F007A .text C:\Windows\system32\lsass.exe[704] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 000F0069 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 000F009F .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 000F0F08 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 000F004E .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 000F0FA5 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 000F003D .text C:\Windows\system32\lsass.exe[704] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 000F0F8A .text C:\Windows\system32\lsass.exe[704] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 000F0F4F .text C:\Windows\system32\lsass.exe[704] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 000F0022 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 000F0011 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 000F0F34 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 000F0EED .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 000F0000 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 000F0FE5 .text C:\Windows\system32\lsass.exe[704] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 000F0FCA .text C:\Windows\system32\lsass.exe[704] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 000F0F23 .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00100039 .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegCreateKeyA 7680B8AE 1 Byte [E9] .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00100FB2 .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00100FEF .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00100F97 .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 00100F7C .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 0010000A .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00100FDE .text C:\Windows\system32\lsass.exe[704] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00100FC3 .text C:\Windows\system32\lsass.exe[704] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 002D0050 .text C:\Windows\system32\lsass.exe[704] msvcrt.dll!system 76918B63 5 Bytes JMP 002D003F .text C:\Windows\system32\lsass.exe[704] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 002D002E .text C:\Windows\system32\lsass.exe[704] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 002D0000 .text C:\Windows\system32\lsass.exe[704] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 002D0FCF .text C:\Windows\system32\lsass.exe[704] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 002D001D .text C:\Windows\system32\lsass.exe[704] WS2_32.dll!socket 75F736D1 5 Bytes JMP 000E0000 .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[748] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02B92180; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[748] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 02B926B0; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[748] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02B92970; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[748] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02B92910; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[748] WS2_32.dll!send 75F7659B 6 Bytes PUSH 02B93A90; RET .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00010095 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 00010F59 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 000100B0 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 00010F19 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 00010058 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00010FB9 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 00010047 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00010036 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00010069 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00010F94 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 00010025 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 0001007A .text C:\Windows\system32\svchost.exe[752] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 000100CB .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 00010FEF .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00010000 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 00010FD4 .text C:\Windows\system32\svchost.exe[752] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00010F2A .text C:\Windows\system32\svchost.exe[752] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00060047 .text C:\Windows\system32\svchost.exe[752] msvcrt.dll!system 76918B63 5 Bytes JMP 00060FB2 .text C:\Windows\system32\svchost.exe[752] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 00060022 .text C:\Windows\system32\svchost.exe[752] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00060000 .text C:\Windows\system32\svchost.exe[752] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00060FCD .text C:\Windows\system32\svchost.exe[752] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00060011 .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00070FA8 .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00070FCA .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00070000 .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00070FB9 .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 00070F8D .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 00070025 .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00070FEF .text C:\Windows\system32\svchost.exe[752] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00070036 .text C:\Windows\system32\svchost.exe[752] WS2_32.dll!socket 75F736D1 5 Bytes JMP 0008000A .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[868] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01B02180; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[868] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01B026B0; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[868] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01B02970; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[868] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01B02910; RET .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 008F0094 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 008F0F44 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 008F00CA .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 008F00AF .text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 008F0065 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 008F0FCA .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 008F0F81 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 008F0FA8 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 008F0F66 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 008F004A .text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 008F0FB9 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 008F0F55 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 008F0F0E .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 008F001B .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 008F0000 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 008F0FDB .text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 008F0F33 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 0091005A .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 76918B63 5 Bytes JMP 00910049 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 0091001D .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00910000 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00910038 .text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00910FE3 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00900F94 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00900036 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00900000 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00900FA5 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 00900F83 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 00900FCA .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00900FE5 .text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00900025 .text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 75F736D1 5 Bytes JMP 007D0FEF .text C:\Program Files\McAfee.com\Agent\mcagent.exe[888] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02252180; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[888] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 022526B0; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[888] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02252970; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[888] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02252910; RET .text C:\Program Files\McAfee.com\Agent\mcagent.exe[888] WS2_32.dll!send 75F7659B 6 Bytes PUSH 02253A90; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[936] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02F12180; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[936] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 02F126B0; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[936] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02F12970; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[936] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02F12910; RET .text C:\Program Files\SiteAdvisor\6172\SiteAdv.exe[936] WS2_32.dll!send 75F7659B 6 Bytes PUSH 02F13A90; RET .text C:\Windows\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00350096 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 00350F50 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 00350F1A .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 003500A7 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 00350F72 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00350FC3 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 0035004A .text C:\Windows\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00350FA8 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00350F61 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00350F8D .text C:\Windows\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 0035002F .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 0035007B .text C:\Windows\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00350F09 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 0035000A .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00350FEF .text C:\Windows\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 00350FD4 .text C:\Windows\system32\svchost.exe[952] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00350F35 .text C:\Windows\system32\svchost.exe[952] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00900FC3 .text C:\Windows\system32\svchost.exe[952] msvcrt.dll!system 76918B63 5 Bytes JMP 00900044 .text C:\Windows\system32\svchost.exe[952] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 00900033 .text C:\Windows\system32\svchost.exe[952] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 0090000C .text C:\Windows\system32\svchost.exe[952] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00900FD4 .text C:\Windows\system32\svchost.exe[952] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00900FEF .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00360F9E .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00360025 .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00360FE5 .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00360040 .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 0036005B .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 0036000A .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00360FD4 .text C:\Windows\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00360FB9 .text C:\Windows\system32\svchost.exe[952] WS2_32.dll!socket 75F736D1 5 Bytes JMP 00340000 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00790F83 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 007900D3 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 0079011A .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 007900FF .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 007900A7 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00790FD4 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 0079008C .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 0079005B .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00790FA8 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00790FC3 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 00790040 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 007900C2 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00790F5E .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 0079001B .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 0079000A .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 00790FE5 .text C:\Windows\System32\svchost.exe[1008] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 007900EE .text C:\Windows\System32\svchost.exe[1008] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00A20FA8 .text C:\Windows\System32\svchost.exe[1008] msvcrt.dll!system 76918B63 5 Bytes JMP 00A20FC3 .text C:\Windows\System32\svchost.exe[1008] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 00A20029 .text C:\Windows\System32\svchost.exe[1008] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00A20FEF .text C:\Windows\System32\svchost.exe[1008] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00A20FDE .text C:\Windows\System32\svchost.exe[1008] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00A2000C .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 007B0051 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 007B0FAF .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 007B0000 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 007B0036 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 007B0F94 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 007B0FCA .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 007B0FE5 .text C:\Windows\System32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 007B001B .text C:\Windows\System32\svchost.exe[1008] WS2_32.dll!socket 75F736D1 5 Bytes JMP 0078000A .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 015E0F47 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 015E008D .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 015E00C3 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 015E00B2 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 015E006B .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 015E0022 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 015E0F91 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 015E0FB6 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 015E007C .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 015E004E .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 015E003D .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 015E0F62 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 015E00DE .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 015E0011 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 015E0000 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 015E0FD1 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 015E0F2C .text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 01640FDE .text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!system 76918B63 5 Bytes JMP 01640FEF .text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 01640044 .text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 01640000 .text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 01640055 .text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 01640029 .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 0163006C .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 01630040 .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 0163000A .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 0163005B .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 0163007D .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 01630FD4 .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 01630FE5 .text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 0163002F .text C:\Windows\System32\svchost.exe[1040] WS2_32.dll!socket 75F736D1 5 Bytes JMP 015D0FEF .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 010B0F48 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 010B0F59 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 010B0F37 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 010B00C4 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 010B0058 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 010B001B .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 010B0047 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 010B0F94 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 010B0069 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 010B0036 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 010B0FB9 .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 010B008E .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 010B00DF .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 010B000A .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 010B0FEF .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 010B0FCA .text C:\Windows\system32\svchost.exe[1052] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 010B00B3 .text C:\Windows\system32\svchost.exe[1052] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 010D0F90 .text C:\Windows\system32\svchost.exe[1052] msvcrt.dll!system 76918B63 5 Bytes JMP 010D001B .text C:\Windows\system32\svchost.exe[1052] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 010D0000 .text C:\Windows\system32\svchost.exe[1052] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 010D0FEF .text C:\Windows\system32\svchost.exe[1052] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 010D0FAB .text C:\Windows\system32\svchost.exe[1052] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 010D0FC6 .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 3 Bytes JMP 010C0F8A .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA + 4 7680B5EB 1 Byte [8A] .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA 7680B8AE 3 Bytes JMP 010C0FB6 .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA + 4 7680B8B2 1 Byte [8A] .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 010C0000 .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 010C0F9B .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 010C0F6F .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 010C0022 .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 010C0011 .text C:\Windows\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 010C0FC7 .text C:\Windows\system32\svchost.exe[1052] WS2_32.dll!socket 75F736D1 5 Bytes JMP 01060FE5 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00DF00B8 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 00DF00A7 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 00DF0113 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 00DF00EE .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 00DF0071 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00DF0FD4 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 00DF0F8D .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00DF0040 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00DF0F7C .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00DF0F9E .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 00DF0FB9 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 00DF008C .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00DF0124 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 00DF001B .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00DF0000 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 00DF0FE5 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00DF00DD .text C:\Windows\system32\svchost.exe[1292] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 0142004C .text C:\Windows\system32\svchost.exe[1292] msvcrt.dll!system 76918B63 5 Bytes JMP 01420FC1 .text C:\Windows\system32\svchost.exe[1292] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 0142000C .text C:\Windows\system32\svchost.exe[1292] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 01420FEF .text C:\Windows\system32\svchost.exe[1292] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 01420031 .text C:\Windows\system32\svchost.exe[1292] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 01420FD2 .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 01410F8D .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 01410FAF .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 01410000 .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 01410F9E .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 01410040 .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 0141001B .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 01410FE5 .text C:\Windows\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 01410FCA .text C:\Windows\system32\svchost.exe[1292] WS2_32.dll!socket 75F736D1 5 Bytes JMP 00210000 .text C:\Windows\system32\svchost.exe[1292] WinInet.dll!InternetOpenA 76720A4D 5 Bytes JMP 01400FE5 .text C:\Windows\system32\svchost.exe[1292] WinInet.dll!InternetOpenUrlA 76722713 5 Bytes JMP 01400FB9 .text C:\Windows\system32\svchost.exe[1292] WinInet.dll!InternetOpenW 767230C8 5 Bytes JMP 01400FCA .text C:\Windows\system32\svchost.exe[1292] WinInet.dll!InternetOpenUrlW 76778515 5 Bytes JMP 0140000A .text C:\Windows\RtHDVCpl.exe[1476] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 027F2180; RET .text C:\Windows\RtHDVCpl.exe[1476] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 027F26B0; RET .text C:\Windows\RtHDVCpl.exe[1476] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 027F2970; RET .text C:\Windows\RtHDVCpl.exe[1476] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 027F2910; RET .text C:\Windows\RtHDVCpl.exe[1476] WS2_32.dll!send 75F7659B 6 Bytes PUSH 027F3A90; RET .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00C80F4D .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 00C80F68 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 00C800DA .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 00C800BF .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 00C80F9E .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00C80036 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 00C80078 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00C80FB9 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00C80089 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00C8005B .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 00C80FCA .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 00C80F83 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00C800FF .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 00C80000 .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00C80FEF .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 00C8001B .text C:\Windows\system32\svchost.exe[1540] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00C800AE .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00CA003B .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!system 76918B63 5 Bytes JMP 00CA0FA6 .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 00CA0FD2 .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00CA0FE3 .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00CA0FB7 .text C:\Windows\system32\svchost.exe[1540] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00CA000C .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00C90FB9 .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00C9004A .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00C9000A .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00C9005B .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 00C90F9E .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 00C90FEF .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00C90025 .text C:\Windows\system32\svchost.exe[1540] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00C90FDE .text C:\Windows\system32\svchost.exe[1540] WS2_32.dll!socket 75F736D1 5 Bytes JMP 00C30FE5 .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[1716] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 059A2180; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[1716] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 059A26B0; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[1716] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 059A2970; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[1716] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 059A2910; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[1716] WS2_32.dll!send 75F7659B 6 Bytes PUSH 059A3A90; RET .text C:\Windows\system32\Dwm.exe[1804] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 06F82180; RET .text C:\Windows\system32\Dwm.exe[1804] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 06F826B0; RET .text C:\Windows\system32\Dwm.exe[1804] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 06F82970; RET .text C:\Windows\system32\Dwm.exe[1804] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 06F82910; RET .text C:\Windows\system32\Dwm.exe[1804] WS2_32.dll!send 75F7659B 6 Bytes PUSH 06F83A90; RET .text C:\Windows\Explorer.EXE[1884] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 03FE2180; RET .text C:\Windows\Explorer.EXE[1884] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 03FE26B0; RET .text C:\Windows\Explorer.EXE[1884] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 03FE2970; RET .text C:\Windows\Explorer.EXE[1884] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 03FE2910; RET .text C:\Windows\Explorer.EXE[1884] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 02BB0F6B .text C:\Windows\Explorer.EXE[1884] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 02BB00A7 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 02BB0F35 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 02BB00CC .text C:\Windows\Explorer.EXE[1884] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 02BB007B .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 02BB0039 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 02BB0F97 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 02BB0054 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 02BB008C .text C:\Windows\Explorer.EXE[1884] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 02BB0FA8 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 02BB0FCD .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 02BB0F7C .text C:\Windows\Explorer.EXE[1884] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 02BB0F1A .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 02BB0FEF .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 02BB0000 .text C:\Windows\Explorer.EXE[1884] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 02BB0FDE .text C:\Windows\Explorer.EXE[1884] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 02BB0F50 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 031E0058 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 031E0FB6 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 031E0000 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 031E0047 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 031E0FA5 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 031E0011 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 031E0FE5 .text C:\Windows\Explorer.EXE[1884] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 031E0022 .text C:\Windows\Explorer.EXE[1884] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 040E0044 .text C:\Windows\Explorer.EXE[1884] msvcrt.dll!system 76918B63 5 Bytes JMP 040E0FB9 .text C:\Windows\Explorer.EXE[1884] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 040E0FD4 .text C:\Windows\Explorer.EXE[1884] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 040E000C .text C:\Windows\Explorer.EXE[1884] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 040E0029 .text C:\Windows\Explorer.EXE[1884] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 040E0FEF .text C:\Windows\Explorer.EXE[1884] SHELL32.dll!InitNetworkAddressControl + 2939 76A3006C 4 Bytes [50, 26, 00, 10] {PUSH EAX; ADD [ES:EAX], DL} .text C:\Windows\Explorer.EXE[1884] WININET.dll!InternetOpenA 76720A4D 5 Bytes JMP 031D000A .text C:\Windows\Explorer.EXE[1884] WININET.dll!InternetOpenUrlA 76722713 5 Bytes JMP 031D0040 .text C:\Windows\Explorer.EXE[1884] WININET.dll!InternetOpenW 767230C8 5 Bytes JMP 031D0025 .text C:\Windows\Explorer.EXE[1884] WININET.dll!InternetOpenUrlW 76778515 5 Bytes JMP 031D0051 .text C:\Windows\Explorer.EXE[1884] WS2_32.dll!socket 75F736D1 5 Bytes JMP 02820000 .text C:\Windows\Explorer.EXE[1884] WS2_32.dll!send 75F7659B 6 Bytes PUSH 03FE3A90; RET .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 001F009D .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 001F0F57 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 001F0F32 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 001F00C9 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 001F0071 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 001F0FCD .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 001F0F97 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 001F0FA8 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 001F008C .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 001F004A .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 001F0039 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 001F0F72 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 001F0F17 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 001F0014 .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 001F0FEF .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 001F0FDE .text C:\Windows\system32\svchost.exe[1944] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 001F00B8 .text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00260F9A .text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!system 76918B63 5 Bytes JMP 00260025 .text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 0026000A .text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00260FEF .text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00260FB5 .text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00260FC6 .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 0025004E .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00250FB6 .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 00250000 .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 0025003D .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 0025005F .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 00250FDB .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00250011 .text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 0025002C .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!NtQueryDirectoryFile 77668658 4 Bytes [68, 80, 21, BA] .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!NtQueryDirectoryFile + 5 7766865D 1 Byte [C3] .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!NtResumeThread 77668A58 4 Bytes [68, B0, 26, BA] .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!NtResumeThread + 5 77668A5D 1 Byte [C3] .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!NtSetValueKey 77668CF8 4 Bytes [68, 70, 29, BA] .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!NtSetValueKey + 5 77668CFD 1 Byte [C3] .text C:\Windows\system32\taskeng.exe[2044] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 00BA2910; RET .text C:\Windows\system32\taskeng.exe[2044] WS2_32.dll!send 75F7659B 6 Bytes PUSH 00BA3A90; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[2108] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01DB2180; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[2108] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01DB26B0; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[2108] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01DB2970; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[2108] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01DB2910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!NtQueryDirectoryFile 77668658 4 Bytes [68, 80, 21, 29] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!NtQueryDirectoryFile + 5 7766865D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!NtResumeThread 77668A58 4 Bytes [68, B0, 26, 29] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!NtResumeThread + 5 77668A5D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!NtSetValueKey 77668CF8 4 Bytes [68, 70, 29, 29] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!NtSetValueKey + 5 77668CFD 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2136] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 00292910; RET .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2336] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2336] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.) .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!NtQueryDirectoryFile 77668658 3 Bytes [68, 80, 21] .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!NtQueryDirectoryFile + 4 7766865C 2 Bytes [02, C3] {ADD AL, BL} .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!NtResumeThread 77668A58 3 Bytes [68, B0, 26] .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!NtResumeThread + 4 77668A5C 2 Bytes [02, C3] {ADD AL, BL} .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!NtSetValueKey 77668CF8 3 Bytes [68, 70, 29] .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!NtSetValueKey + 4 77668CFC 2 Bytes [02, C3] {ADD AL, BL} .text C:\Windows\System32\mobsync.exe[2464] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02002910; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2508] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01AF2180; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2508] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01AF26B0; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2508] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01AF2970; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2508] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01AF2910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[2524] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02B52180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[2524] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 02B526B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[2524] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02B52970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[2524] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02B52910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[2524] ws2_32.dll!send 75F7659B 6 Bytes PUSH 02B53A90; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[2536] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01DC2180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[2536] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01DC26B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[2536] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01DC2970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[2536] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01DC2910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[2536] WS2_32.dll!send 75F7659B 6 Bytes PUSH 01DC3A90; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2552] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 023F2180; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2552] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 023F26B0; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2552] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 023F2970; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2552] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 023F2910; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[2552] ws2_32.dll!send 75F7659B 6 Bytes PUSH 023F3A90; RET .text D:\programy\winamp\winampa.exe[2568] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 014D2180; RET .text D:\programy\winamp\winampa.exe[2568] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 014D26B0; RET .text D:\programy\winamp\winampa.exe[2568] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 014D2970; RET .text D:\programy\winamp\winampa.exe[2568] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 014D2910; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2576] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01BE2180; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2576] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01BE26B0; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2576] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01BE2970; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2576] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01BE2910; RET .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00740087 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 0074006C .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 00740F0B .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 007400A2 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 00740F6D .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00740FCA .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 00740047 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00740F94 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00740F52 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 0074002C .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 00740FA5 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 00740F41 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00740EF0 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 00740FE5 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00740000 .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 0074001B .text C:\Windows\system32\svchost.exe[3004] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00740F26 .text C:\Windows\system32\svchost.exe[3004] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 008B0FBE .text C:\Windows\system32\svchost.exe[3004] msvcrt.dll!system 76918B63 5 Bytes JMP 008B0049 .text C:\Windows\system32\svchost.exe[3004] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 008B001D .text C:\Windows\system32\svchost.exe[3004] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 008B0FE3 .text C:\Windows\system32\svchost.exe[3004] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 008B0038 .text C:\Windows\system32\svchost.exe[3004] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 008B0000 .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 008A0047 .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 008A002C .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 008A0000 .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 008A0FA5 .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 008A006C .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 008A0FCA .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 008A0FDB .text C:\Windows\system32\svchost.exe[3004] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 008A001B .text C:\Windows\system32\svchost.exe[3004] WS2_32.dll!socket 75F736D1 5 Bytes JMP 00730FEF .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 0099006F .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 00990F1F .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 009900AC .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 0099009B .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 00990F66 .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00990F9E .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 00990040 .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00990025 .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00990F4B .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00990F83 .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 0099000A .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 00990F3A .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00990EFA .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 00990FDE .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00990FEF .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 00990FC3 .text C:\Windows\system32\svchost.exe[3180] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00990080 .text C:\Windows\system32\svchost.exe[3180] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 009B0FD2 .text C:\Windows\system32\svchost.exe[3180] msvcrt.dll!system 76918B63 5 Bytes JMP 009B0053 .text C:\Windows\system32\svchost.exe[3180] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 009B0FE3 .text C:\Windows\system32\svchost.exe[3180] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 009B0000 .text C:\Windows\system32\svchost.exe[3180] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 009B0038 .text C:\Windows\system32\svchost.exe[3180] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 009B0011 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 009A0022 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 009A0011 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 009A0FEF .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 009A0F80 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 009A003D .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 009A0FAF .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 009A0FD4 .text C:\Windows\system32\svchost.exe[3180] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 009A0000 .text C:\Windows\system32\svchost.exe[3180] WS2_32.dll!socket 75F736D1 5 Bytes JMP 008E0000 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!GetStartupInfoW 76631929 5 Bytes JMP 00060F4B .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!GetStartupInfoA 766319C9 5 Bytes JMP 00060091 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreateProcessW 76631C01 5 Bytes JMP 00060F0B .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreateProcessA 76631C36 5 Bytes JMP 000600AC .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!VirtualProtect 76631DD1 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreateNamedPipeW 76635C44 5 Bytes JMP 00060036 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!LoadLibraryExW 766530C3 5 Bytes JMP 0006005B .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!LoadLibraryW 7665361F 5 Bytes JMP 00060FAF .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!VirtualProtectEx 76658D7E 5 Bytes JMP 00060F77 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!LoadLibraryExA 76659469 5 Bytes JMP 00060F9E .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!LoadLibraryA 76659491 5 Bytes JMP 00060FCA .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreatePipe 76660284 5 Bytes JMP 00060F66 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!GetProcAddress 7667B8B6 5 Bytes JMP 00060EFA .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreateFileW 7667CC4E 5 Bytes JMP 00060FE5 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreateFileA 7667CF71 5 Bytes JMP 00060000 .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!CreateNamedPipeA 766C430E 5 Bytes JMP 0006001B .text C:\Windows\System32\svchost.exe[3240] kernel32.dll!WinExec 766C54FF 5 Bytes JMP 00060F3A .text C:\Windows\System32\svchost.exe[3240] msvcrt.dll!_wsystem 76918A47 5 Bytes JMP 00080F9A .text C:\Windows\System32\svchost.exe[3240] msvcrt.dll!system 76918B63 5 Bytes JMP 00080FAB .text C:\Windows\System32\svchost.exe[3240] msvcrt.dll!_creat 7691C6F1 5 Bytes JMP 00080FCD .text C:\Windows\System32\svchost.exe[3240] msvcrt.dll!_open 7691DA7E 5 Bytes JMP 00080FEF .text C:\Windows\System32\svchost.exe[3240] msvcrt.dll!_wcreat 7691DC9E 5 Bytes JMP 00080FBC .text C:\Windows\System32\svchost.exe[3240] msvcrt.dll!_wopen 7691DE79 5 Bytes JMP 00080FDE .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyExA 7680B5E7 5 Bytes JMP 00070FAF .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyA 7680B8AE 5 Bytes JMP 00070FCA .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyA 76810BF5 5 Bytes JMP 0007000A .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyW 7681B83D 5 Bytes JMP 00070051 .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegCreateKeyExW 7681BCE1 5 Bytes JMP 0007006C .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyExA 7681D4E8 5 Bytes JMP 00070025 .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyW 76823CB0 5 Bytes JMP 00070FE5 .text C:\Windows\System32\svchost.exe[3240] ADVAPI32.dll!RegOpenKeyExW 7682F09D 5 Bytes JMP 00070036 .text C:\Windows\System32\svchost.exe[3240] WS2_32.dll!socket 75F736D1 5 Bytes JMP 00710FEF .text C:\Windows\system32\wbem\unsecapp.exe[3252] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01AC2180; RET .text C:\Windows\system32\wbem\unsecapp.exe[3252] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01AC26B0; RET .text C:\Windows\system32\wbem\unsecapp.exe[3252] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01AC2970; RET .text C:\Windows\system32\wbem\unsecapp.exe[3252] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01AC2910; RET .text C:\Windows\system32\wbem\unsecapp.exe[3252] WS2_32.dll!send 75F7659B 6 Bytes PUSH 01AC3A90; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3488] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01532180; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3488] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 015326B0; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3488] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01532970; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3488] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01532910; RET .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!NtQueryDirectoryFile 77668658 4 Bytes [68, 80, 21, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!NtQueryDirectoryFile + 5 7766865D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!NtResumeThread 77668A58 4 Bytes [68, B0, 26, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!NtResumeThread + 5 77668A5D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!NtSetValueKey 77668CF8 4 Bytes [68, 70, 29, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!NtSetValueKey + 5 77668CFD 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3520] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 00152910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3548] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 019D2180; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3548] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 019D26B0; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3548] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 019D2970; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3548] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 019D2910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3548] WS2_32.dll!send 75F7659B 6 Bytes PUSH 019D3A90; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!NtQueryDirectoryFile 77668658 4 Bytes [68, 80, 21, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!NtQueryDirectoryFile + 5 7766865D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!NtResumeThread 77668A58 4 Bytes [68, B0, 26, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!NtResumeThread + 5 77668A5D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!NtSetValueKey 77668CF8 4 Bytes [68, 70, 29, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!NtSetValueKey + 5 77668CFD 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 00152910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[4184] WS2_32.dll!send 75F7659B 6 Bytes PUSH 00153A90; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4192] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02912180; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4192] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 029126B0; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4192] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02912970; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4192] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02912910; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[4192] WS2_32.dll!send 75F7659B 6 Bytes PUSH 02913A90; RET .text C:\Program Files\uTorrent\uTorrent.exe[4464] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02C32180; RET .text C:\Program Files\uTorrent\uTorrent.exe[4464] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 02C326B0; RET .text C:\Program Files\uTorrent\uTorrent.exe[4464] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02C32970; RET .text C:\Program Files\uTorrent\uTorrent.exe[4464] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02C32910; RET .text C:\Program Files\uTorrent\uTorrent.exe[4464] WS2_32.dll!send 75F7659B 6 Bytes PUSH 02C33A90; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4488] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 02102180; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4488] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 021026B0; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4488] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 02102970; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4488] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 02102910; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 03402180; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 034026B0; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 03402970; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 03402910; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] USER32.dll!IsZoomed + 80 75EE0731 7 Bytes JMP 00085CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] USER32.dll!GetClassLongW + 529 75EE1EB5 7 Bytes JMP 00085C60 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] USER32.dll!DdeUninitialize + 360 75F002A5 7 Bytes JMP 00085CD0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[4560] WS2_32.dll!send 75F7659B 6 Bytes PUSH 03403A90; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4812] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01562180; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4812] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 015626B0; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4812] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01562970; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4812] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01562910; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4812] WS2_32.dll!send 75F7659B 6 Bytes PUSH 01563A90; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!NtQueryDirectoryFile 77668658 4 Bytes [68, 80, 21, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!NtQueryDirectoryFile + 5 7766865D 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!NtResumeThread 77668A58 4 Bytes [68, B0, 26, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!NtResumeThread + 5 77668A5D 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!NtSetValueKey 77668CF8 4 Bytes [68, 70, 29, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!NtSetValueKey + 5 77668CFD 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 00142910; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[4828] WS2_32.dll!send 75F7659B 6 Bytes PUSH 00143A90; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[4848] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 05182180; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[4848] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 051826B0; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[4848] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 05182970; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[4848] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 05182910; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[4848] WS2_32.dll!send 75F7659B 6 Bytes PUSH 05183A90; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4904] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 01A32180; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4904] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 01A326B0; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4904] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 01A32970; RET .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[4904] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 01A32910; RET .text C:\Windows\system32\conime.exe[5608] ntdll.dll!NtQueryDirectoryFile 77668658 4 Bytes [68, 80, 21, 04] .text C:\Windows\system32\conime.exe[5608] ntdll.dll!NtQueryDirectoryFile + 5 7766865D 1 Byte [C3] .text C:\Windows\system32\conime.exe[5608] ntdll.dll!NtResumeThread 77668A58 4 Bytes [68, B0, 26, 04] .text C:\Windows\system32\conime.exe[5608] ntdll.dll!NtResumeThread + 5 77668A5D 1 Byte [C3] .text C:\Windows\system32\conime.exe[5608] ntdll.dll!NtSetValueKey 77668CF8 4 Bytes [68, 70, 29, 04] .text C:\Windows\system32\conime.exe[5608] ntdll.dll!NtSetValueKey + 5 77668CFD 1 Byte [C3] .text C:\Windows\system32\conime.exe[5608] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 00042910; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5784] ntdll.dll!NtQueryDirectoryFile 77668658 6 Bytes PUSH 026B2180; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5784] ntdll.dll!NtResumeThread 77668A58 6 Bytes PUSH 026B26B0; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5784] ntdll.dll!NtSetValueKey 77668CF8 6 Bytes PUSH 026B2970; RET .text c:\PROGRA~1\mcafee\msc\mcuimgr.exe[5784] ntdll.dll!DbgUiRemoteBreakin 7769D50C 7 Bytes PUSH 026B2910; RET ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744B8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744F9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744BB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744AFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744B7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744AEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [744EB12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [744BBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744B0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744B06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744A71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7453D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744D7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744AE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744A697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744A69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744B2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\Explorer.EXE[1884] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\system32\SearchProtocolHost.exe[5924] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] [728FDB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Windows\system32\SearchProtocolHost.exe[5924] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [728FDB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Windows\system32\SearchProtocolHost.exe[5924] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DialogBoxParamW] [728FDB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Windows\system32\SearchProtocolHost.exe[5924] @ C:\Windows\system32\WININET.dll [USER32.dll!DialogBoxParamW] [728FDB6B] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84541D90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----