GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-27 02:34:45 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815AS rev.3.AAD 149,05GB Running: 4uyjruiw.exe; Driver: C:\DOCUME~1\JA\USTAWI~1\Temp\pwtdypod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xA92CA72A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xA92CBAC0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xA92C99DA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xA92CA358] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xA92CB102] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xA92CA0EA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xA92CCAC4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xA92C9384] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xA92CA91E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xA92CAB6E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xA92C916E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xA92CBBD6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xA92CBDEA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xA92CC4CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xA92C9CBE] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xA926D690] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xA926D7B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xA92CA550] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xA92CAFF0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xA926D010] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xA92C9F72] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xA926D490] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xA92CBF5C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xA92CC210] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xA92CC08E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xA92CB6E8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xA92CAE14] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xA92CC7CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xA92CB410] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xA92C9C28] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xA926D2D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xA926D3B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xA92C9E5E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xA926D110] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xA926D1F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xA926D590] INT 0x62 ? 8A56ABF8 INT 0x73 ? 8A56ABF8 INT 0x82 ? 8A56ABF8 INT 0xA4 ? 8A165BF8 INT 0xA4 ? 8A165BF8 INT 0xA4 ? 8A165BF8 INT 0xA4 ? 8A165BF8 INT 0xA4 ? 8A165BF8 INT 0xA4 ? 8A165BF8 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 114 804E26E8 4 Bytes JMP A5A92CA0 .text ntoskrnl.exe!_abnormal_termination + 170 804E2744 4 Bytes [EA, BD, 2C, A9] .text ntoskrnl.exe!_abnormal_termination + 440 804E2A14 12 Bytes [D0, D2, 26, A9, B0, D3, 26, ...] {RCL DL, 0x1; TEST EAX, 0xa926d3b0; POP ESI; SAHF ; SUB AL, 0xa9} ? spfh.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB97DB000, 0x1B601E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[168] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[168] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[168] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[168] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[168] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[168] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[168] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[168] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[744] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[744] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[744] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[744] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 8F, 00] .text C:\WINDOWS\Explorer.EXE[744] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 8F, 00] {MOV AL, 0x6b; POP DWORD [EAX]} .text C:\WINDOWS\Explorer.EXE[744] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[744] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[744] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[744] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[744] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[744] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[744] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[744] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[744] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[744] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\Explorer.EXE[744] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[744] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\Explorer.EXE[744] SHELL32.dll!SHFileOperationW 7CA70984 5 Bytes JMP 01CE1102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\WINDOWS\system32\csrss.exe[752] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10001970 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[752] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001DF0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\services.exe[832] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[832] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[832] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[832] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[832] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[832] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6F, 71] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6C, 71] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 6B, 00] .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 6B, 00] .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [90, 71] .text C:\WINDOWS\system32\lsass.exe[844] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[844] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[844] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[844] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7173000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[844] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[992] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[992] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\Ati2evxx.exe[992] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[992] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[992] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[992] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1012] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1012] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1012] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1108] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1108] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1108] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1108] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1108] rpcss.dll!WhichService 76A64234 8 Bytes [80, 4F, 6B, 00, 40, 4D, 6B, ...] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1140] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00403760 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1140] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0044D090 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1180] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1180] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1180] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1180] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1180] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1180] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1180] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[1236] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1324] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1324] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1324] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1324] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1324] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1352] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1352] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1352] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1352] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1352] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1432] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1432] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[1432] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[1432] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 93, 00] .text C:\WINDOWS\system32\spoolsv.exe[1432] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 93, 00] .text C:\WINDOWS\system32\spoolsv.exe[1432] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1432] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1432] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1432] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1432] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1432] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1432] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1432] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1432] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[1432] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 6B, 00] .text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1524] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1524] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\svchost.exe[1524] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1524] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1524] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1524] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719E001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719B001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7183001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7186001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718C001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7189001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7192001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7198001E .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\AVG\AVG2014\avgnsx.exe[1632] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7180001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 85, 00] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 85, 00] {MOV AL, 0x6b; TEST [EAX], EAX} .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718F001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717D001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7177001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717A001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7174001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7180001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7183001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7189001E .text C:\Program Files\AVG\AVG2014\avgidsagent.exe[1636] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7186001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [6E, 71] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718F001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7195001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [92, 71] .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 717D001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7177001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717A001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7174001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7180001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7183001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7189001E .text C:\Program Files\AVG\AVG2014\avgemcx.exe[1652] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7186001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719E001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719B001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 74, 00] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 74, 00] {MOV AL, 0x6b; JZ 0x4} .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7192001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7198001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7180001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7183001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7186001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718C001E .text C:\Program Files\AVG\AVG2014\avgwdsvc.exe[1680] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7189001E .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\WINDOWS\system32\CTsvcCDA.exe[1800] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [69, 71] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [66, 71] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A2, 71] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7199001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7196001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 03, 01] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 03, 01] {MOV AL, 0x6b; ADD EAX, [ECX]} .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718D001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7193001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [90, 71] .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7175001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7178001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7181001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7187001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7184001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 716F001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7172001E .text C:\Program Files\AVG\AVG2014\avgui.exe[2300] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 716C001E .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Unlocker\UnlockerAssistant.exe[2328] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[2428] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [6C, 71] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [69, 71] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2520] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[2520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[2520] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 7197000A .text C:\WINDOWS\System32\alg.exe[2520] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7194000A .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7173000A .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7176000A .text C:\WINDOWS\System32\alg.exe[2520] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7170000A .text C:\WINDOWS\System32\alg.exe[2520] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[2520] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[2520] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7185000A .text C:\WINDOWS\System32\alg.exe[2520] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[2520] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 6B, 00] .text C:\WINDOWS\System32\alg.exe[2520] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 6B, 00] .text C:\WINDOWS\System32\alg.exe[2520] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[2520] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[2520] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[2520] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [8D, 71] .text C:\WINDOWS\System32\alg.exe[2520] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7179000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01CD3D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 01CBC661 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 01CD3820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 01CBC750 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 0255E1FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 01CD43D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 0255E1AE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10001F4C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 024FF582 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 024FF55F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01CD06F3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0240E5A9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 024FF4E0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 46, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 46, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[2892] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [20, 6B, 01, 10] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [B0, 6B, 01, 10] {MOV AL, 0x6b; ADD [EAX], EDX} .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Documents and Settings\JA\Pulpit\4uyjruiw.exe[3008] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3112] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 004011F0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3112] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [95, 71] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3668] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718A000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3836] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00414FE0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A5691F8 Device \FileSystem\Fastfat \FatCdrom 88A6A1F8 AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys Device \Driver\usbuhci \Device\USBPDO-0 8A2C91F8 Device \Driver\usbuhci \Device\USBPDO-1 8A2C91F8 Device \Driver\usbuhci \Device\USBPDO-2 8A2C91F8 Device \Driver\usbuhci \Device\USBPDO-3 8A2C91F8 Device \Driver\usbehci \Device\USBPDO-4 8A2B21F8 AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5D61F8 Device \Driver\Cdrom \Device\CdRom0 8A3611F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5D61F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5D61F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [F7859B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{CB472DC3-5816-4122-A68E-F782409D72A2} 88D74500 Device \Driver\NetBT \Device\NetBt_Wins_Export 88D74500 AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys Device \Driver\usbuhci \Device\USBFDO-0 8A2C91F8 Device \Driver\usbuhci \Device\USBFDO-1 8A2C91F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A339500 Device \Driver\usbuhci \Device\USBFDO-2 8A2C91F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A339500 Device \Driver\usbuhci \Device\USBFDO-3 8A2C91F8 Device \Driver\usbehci \Device\USBFDO-4 8A2B21F8 Device \Driver\Ftdisk \Device\FtControl 8A5D61F8 Device \FileSystem\Fastfat \Fat 88A6A1F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys Device \FileSystem\Cdfs \Cdfs 8A2321F8 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spfh.sys hal.dll >>UNKNOWN [0x8a58a938]<< 8a58a938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a527ab8] 8a527ab8 Trace 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a54db00] 8a54db00 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x24 0xBD 0xF7 0x50 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x24 0xBD 0xF7 0x50 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----