GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-19 03:58:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk1\DR1 -> \Device\00000060 SAMSUNG_ rev.CP10 298,09GB Running: 4he72xow.exe; Driver: C:\Temp\uwdiqaog.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0x8D8C5464] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcConnectPort [0x8D8C3AC2] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAlpcCreatePort [0x8D8C3594] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwAlpcSendWaitReceivePort [0x936EF756] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0x8D8C495E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwClose [0x936E150E] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwConnectPort [0x8D8C3682] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreateFile [0x8D8CA3A6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateKey [0x936E1914] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwCreatePort [0x8D8C34A0] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateSection [0x936E92D5] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateThread [0x936E9D64] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateThreadEx [0x936E9DA2] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateUserProcess [0x936E98DA] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDebugActiveProcess [0x936E8BA8] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDeleteKey [0x936E096B] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDeleteValueKey [0x936E0A8F] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwDeviceIoControlFile [0x936EFC17] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwDuplicateObject [0x8D8C3362] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwEnumerateKey [0x936FA327] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwEnumerateValueKey [0x936F9232] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwFreeVirtualMemory [0x936E8DDB] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwFsControlFile [0x936F0603] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwInitiatePowerAction [0x936EE62F] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwLoadDriver [0x936EEF6B] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenFile [0x8D8CA724] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenKey [0x936F942D] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenKeyEx [0x936F9658] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenProcess [0x936E8E28] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwOpenSection [0x936ED5D7] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwOpenThread [0x8D8C28DE] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwProtectVirtualMemory [0x936E80F4] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwQueryKey [0x936F9886] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwQueryValueKey [0x936E12A6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwQueueApcThread [0x936E7E93] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRaiseHardError [0x936EE668] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRenameKey [0x936E1C8D] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwRequestPort [0x8D8C3CE6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRequestWaitReplyPort [0x936EF307] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwRestoreKey [0x936E154D] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwResumeThread [0x8D8C3102] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwSecureConnectPort [0x8D8C38A4] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetContextThread [0x936E8591] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetSystemInformation [0x936EDB8E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetSystemPowerState [0x936EE5F6] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetSystemTime [0x936EE5B3] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSetValueKey [0x936E0CAA] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwShutdownSystem [0x936EDA6F] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSuspendProcess [0x936E8516] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSuspendThread [0x936E7ED4] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwSystemDebugControl [0x936EDA9E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTerminateJobObject [0x936E832C] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTerminateProcess [0x936E82ED] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTerminateThread [0x936E8554] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwTestAlert [0x936E9070] SSDT \??\C:\Windows\system32\drivers\OADriver.sys ZwUnloadDriver [0x8D8C454E] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwUnmapViewOfSection [0x936E8D80] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwWriteFile [0x936EEE05] SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwWriteVirtualMemory [0x936E8098] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82A3FA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A79212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A80488 4 Bytes [64, 54, 8C, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82A80494 8 Bytes [C2, 3A, 8C, 8D, 94, 35, 8C, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82A804D8 4 Bytes [56, F7, 6E, 93] {PUSH ESI; IMUL DWORD [ESI-0x6d]} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A804E8 4 Bytes [5E, 49, 8C, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 116F 82A80504 4 Bytes [0E, 15, 6E, 93] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\notepad.exe[176] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[176] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [5C, 71] .text C:\Windows\notepad.exe[176] ntdll.dll!NtProtectVirtualMemory 77C05F58 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[176] ntdll.dll!NtProtectVirtualMemory + 4 77C05F5C 2 Bytes [56, 71] .text C:\Windows\notepad.exe[176] ntdll.dll!NtWriteVirtualMemory 77C06AD8 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[176] ntdll.dll!NtWriteVirtualMemory + 4 77C06ADC 2 Bytes [50, 71] .text C:\Windows\notepad.exe[176] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text C:\Windows\notepad.exe[176] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Windows\notepad.exe[176] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7163000A .text C:\Windows\notepad.exe[176] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7160000A .text C:\Windows\notepad.exe[176] kernel32.dll!WriteProcessMemory 76019657 6 Bytes JMP 7154000A .text C:\Windows\notepad.exe[176] kernel32.dll!VirtualProtectEx 76040269 6 Bytes JMP 715A000A .text C:\Windows\notepad.exe[176] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 7181000A .text C:\Windows\notepad.exe[176] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 7184000A .text C:\Windows\notepad.exe[176] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Windows\notepad.exe[176] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Windows\notepad.exe[176] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Windows\notepad.exe[176] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Windows\notepad.exe[176] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 7172000A .text C:\Windows\notepad.exe[176] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 716F000A .text C:\Windows\notepad.exe[176] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7178000A .text C:\Windows\notepad.exe[176] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 7175000A .text C:\Windows\notepad.exe[176] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\notepad.exe[176] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [7A, 71] {JP 0x73} .text C:\Windows\notepad.exe[176] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Windows\notepad.exe[176] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 717E000A .text C:\Windows\notepad.exe[176] ole32.dll!CoGetClassObject 779554AD 6 Bytes JMP 7187000A .text C:\Windows\notepad.exe[176] ole32.dll!CoCreateInstance 77969D0B 6 Bytes JMP 718D000A .text C:\Windows\notepad.exe[176] ole32.dll!CoCreateInstanceEx 77969D4E 6 Bytes JMP 718A000A .text C:\Windows\notepad.exe[176] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Windows\notepad.exe[176] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Windows\notepad.exe[176] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7175000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7172000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text E:\Programy\Programy portable\Internet\OperaPortable\OperaPortable.exe[200] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Windows\system32\taskhost.exe[2128] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2128] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text C:\Windows\system32\taskhost.exe[2128] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2128] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text C:\Windows\system32\taskhost.exe[2128] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text C:\Windows\system32\taskhost.exe[2128] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Windows\system32\taskhost.exe[2128] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7175000A .text C:\Windows\system32\taskhost.exe[2128] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7172000A .text C:\Windows\system32\taskhost.exe[2128] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Windows\system32\taskhost.exe[2128] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Windows\system32\taskhost.exe[2128] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Windows\system32\taskhost.exe[2128] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Windows\system32\taskhost.exe[2128] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\taskhost.exe[2128] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Windows\system32\taskhost.exe[2128] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Windows\system32\taskhost.exe[2128] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Windows\system32\taskhost.exe[2128] advapi32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Windows\system32\taskhost.exe[2128] advapi32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Windows\system32\taskhost.exe[2128] advapi32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Windows\system32\taskhost.exe[2128] advapi32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Windows\system32\taskhost.exe[2128] advapi32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Windows\system32\taskhost.exe[2128] advapi32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Windows\system32\taskhost.exe[2128] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Windows\system32\taskhost.exe[2128] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Windows\system32\taskhost.exe[2128] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Windows\system32\Dwm.exe[2340] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2340] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text C:\Windows\system32\Dwm.exe[2340] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2340] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text C:\Windows\system32\Dwm.exe[2340] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text C:\Windows\system32\Dwm.exe[2340] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Windows\system32\Dwm.exe[2340] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7175000A .text C:\Windows\system32\Dwm.exe[2340] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7172000A .text C:\Windows\system32\Dwm.exe[2340] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Windows\system32\Dwm.exe[2340] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Windows\system32\Dwm.exe[2340] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Windows\system32\Dwm.exe[2340] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Windows\system32\Dwm.exe[2340] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\Dwm.exe[2340] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Windows\system32\Dwm.exe[2340] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Windows\system32\Dwm.exe[2340] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Windows\system32\Dwm.exe[2340] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Windows\system32\Dwm.exe[2340] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Windows\system32\Dwm.exe[2340] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Windows\system32\Dwm.exe[2340] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Windows\system32\Dwm.exe[2340] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Windows\system32\Dwm.exe[2340] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Windows\system32\Dwm.exe[2340] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Windows\system32\Dwm.exe[2340] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Windows\system32\Dwm.exe[2340] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Windows\Explorer.EXE[2388] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2388] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text C:\Windows\Explorer.EXE[2388] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2388] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text C:\Windows\Explorer.EXE[2388] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 04565840 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Windows\Explorer.EXE[2388] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7175000A .text C:\Windows\Explorer.EXE[2388] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7172000A .text C:\Windows\Explorer.EXE[2388] kernel32.dll!CreateProcessInternalW 76000852 5 Bytes JMP 045640E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] kernel32.dll!CreateProcessInternalA 7600C954 5 Bytes JMP 045644E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!RegSetValueExA 77B31433 5 Bytes JMP 04566FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!RegQueryValueExW 77B3462D 5 Bytes JMP 045653F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!RegQueryValueExA 77B3486F 5 Bytes JMP 04565030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Windows\Explorer.EXE[2388] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Windows\Explorer.EXE[2388] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Windows\Explorer.EXE[2388] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Windows\Explorer.EXE[2388] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Windows\Explorer.EXE[2388] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Windows\Explorer.EXE[2388] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\Explorer.EXE[2388] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Windows\Explorer.EXE[2388] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Windows\Explorer.EXE[2388] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Windows\Explorer.EXE[2388] SHLWAPI.dll!SHRegGetUSValueW 7624252D 5 Bytes JMP 04564E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] SHELL32.dll!PathResolve + 106C 768953CB 5 Bytes JMP 04560790 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] SHELL32.dll!ShellExecuteExW 768A1E06 5 Bytes JMP 04563F80 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] SHELL32.dll!SHGetItemFromDataObject + 378 768CEBD4 4 Bytes [04, 00, 41, 03] .text C:\Windows\Explorer.EXE[2388] SHELL32.dll!SHEnumerateUnreadMailAccountsW + FF2 76AA534D 5 Bytes JMP 04592E10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2388] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Windows\Explorer.EXE[2388] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Windows\Explorer.EXE[2388] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ntdll.dll!NtCreateProcess 77C056D8 5 Bytes JMP 02DE2DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ntdll.dll!NtCreateProcessEx 77C056E8 5 Bytes JMP 02DE2D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 02DE5780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 02DE56E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CopyFileW 75FE6C07 5 Bytes JMP 02DE3630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CopyFileExW 75FEB348 7 Bytes JMP 02DE3400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!LoadLibraryExA 75FF4576 5 Bytes JMP 02DE3900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!LoadLibraryExW 75FF5189 5 Bytes JMP 02DE3A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!MoveFileWithProgressW 75FF8E9C 5 Bytes JMP 02E12CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 02DE36F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 02DE3880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CreateProcessInternalW 76000852 5 Bytes JMP 02DE40E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CreateProcessInternalA 7600C954 5 Bytes JMP 02DE44E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CopyFileA 76016E12 5 Bytes JMP 02DE34C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!CopyFileExA 7603D231 5 Bytes JMP 02DE3280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] kernel32.dll!WinExec + 5 7603F233 6 Bytes JMP 02DE3EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!RegSetValueExA 77B31433 5 Bytes JMP 02DE6FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!RegQueryValueExW 77B3462D 5 Bytes JMP 02DE53F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!RegQueryValueExA 77B3486F 5 Bytes JMP 02DE5030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] advapi32.DLL!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] user32.DLL!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[2656] user32.DLL!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2656] user32.DLL!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] user32.DLL!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] shlwapi.DLL!SHRegGetUSValueW 7624252D 5 Bytes JMP 02DE4E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] ole32.dll!CoGetClassObject 779554AD 5 Bytes JMP 02E12E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] shell32.dll!SHFileOperationW 768D9700 5 Bytes JMP 02E12DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] shell32.dll!ShellExecuteEx 76AC767A 5 Bytes JMP 02DE46D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!ioctlsocket 76833084 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!sendto 768334B5 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!closesocket 76833918 6 Bytes JMP 02E12B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!WSASend 76834406 5 Bytes JMP 02DE1650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!select 76836989 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!recv 76836B0E 6 Bytes JMP 02E12AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!connect 76836BDD 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!send 76836F01 5 Bytes JMP 02DE1470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!WSARecv 76837089 6 Bytes JMP 02E12A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!WSAGetOverlappedResult 76837489 6 Bytes JMP 02E12A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WS2_32.dll!WSAAsyncSelect 7684B014 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WININET.dll!HttpOpenRequestW 765A9A50 5 Bytes JMP 02DE2F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WININET.dll!InternetConnectW 765AC8E0 5 Bytes JMP 02DE3010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WININET.dll!HttpOpenRequestA 7662A450 5 Bytes JMP 02DE2E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WININET.dll!InternetOpenUrlA 76679610 5 Bytes JMP 02DE30B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2656] WININET.dll!InternetOpenUrlW 7667A0D0 5 Bytes JMP 02DE31E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [62, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [65, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 716C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7169000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2920] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7172000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Program Files\NVIDIA Corporation\Raid\nvraidservice.exe[2992] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 7175000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7172000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!ioctlsocket 76833084 6 Bytes JMP 7157000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!sendto 768334B5 6 Bytes JMP 715D000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!closesocket 76833918 6 Bytes JMP 7169000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!WSASend 76834406 6 Bytes JMP 7148000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!select 76836989 6 Bytes JMP 715A000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!recv 76836B0E 6 Bytes JMP 714F000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!connect 76836BDD 6 Bytes JMP 7166000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!send 76836F01 6 Bytes JMP 7160000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!WSARecv 76837089 6 Bytes JMP 714B000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!WSAGetOverlappedResult 76837489 6 Bytes JMP 7142000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] WS2_32.dll!WSAAsyncSelect 7684B014 6 Bytes JMP 7154000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text c:\program files\kingsoft\kingsoft antivirus\kupdata.exe[3024] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ntdll.dll!NtCreateProcess 77C056D8 5 Bytes JMP 02752DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ntdll.dll!NtCreateProcessEx 77C056E8 5 Bytes JMP 02752D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 02755780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 027556E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CopyFileW 75FE6C07 5 Bytes JMP 02753630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CopyFileExW 75FEB348 7 Bytes JMP 02753400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!LoadLibraryExA 75FF4576 5 Bytes JMP 02753900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!LoadLibraryExW 75FF5189 5 Bytes JMP 02753A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!MoveFileWithProgressW 75FF8E9C 5 Bytes JMP 02782CD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 027536F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 02753880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CreateProcessInternalW 76000852 5 Bytes JMP 027540E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CreateProcessInternalA 7600C954 5 Bytes JMP 027544E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CopyFileA 76016E12 5 Bytes JMP 027534C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!CopyFileExA 7603D231 5 Bytes JMP 02753280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] kernel32.dll!WinExec + 5 7603F233 6 Bytes JMP 02753EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!RegSetValueExA 77B31433 5 Bytes JMP 02756FA0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!RegQueryValueExW 77B3462D 5 Bytes JMP 027553F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!RegQueryValueExA 77B3486F 5 Bytes JMP 02755030 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] advapi32.DLL!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] user32.DLL!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Program Files\Internet Explorer\iexplore.exe[3648] user32.DLL!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[3648] user32.DLL!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] user32.DLL!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] shlwapi.DLL!SHRegGetUSValueW 7624252D 5 Bytes JMP 02754E90 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] ole32.dll!CoGetClassObject 779554AD 5 Bytes JMP 02782E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] shell32.dll!SHFileOperationW 768D9700 5 Bytes JMP 02782DF0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] shell32.dll!ShellExecuteEx 76AC767A 5 Bytes JMP 027546D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!ioctlsocket 76833084 6 Bytes JMP 715A000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!sendto 768334B5 6 Bytes JMP 7160000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!closesocket 76833918 6 Bytes JMP 02782B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!WSASend 76834406 5 Bytes JMP 02751650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!select 76836989 6 Bytes JMP 715D000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!recv 76836B0E 6 Bytes JMP 02782AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!connect 76836BDD 6 Bytes JMP 7166000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!send 76836F01 5 Bytes JMP 02751470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!WSARecv 76837089 6 Bytes JMP 02782A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!WSAGetOverlappedResult 76837489 6 Bytes JMP 02782A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WS2_32.dll!WSAAsyncSelect 7684B014 6 Bytes JMP 7157000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WININET.dll!HttpOpenRequestW 765A9A50 5 Bytes JMP 02752F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WININET.dll!InternetConnectW 765AC8E0 5 Bytes JMP 02753010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WININET.dll!HttpOpenRequestA 7662A450 5 Bytes JMP 02752E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WININET.dll!InternetOpenUrlA 76679610 5 Bytes JMP 027530B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3648] WININET.dll!InternetOpenUrlW 7667A0D0 5 Bytes JMP 027531E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\system32\notepad.exe[3744] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[3744] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [62, 71] .text C:\Windows\system32\notepad.exe[3744] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[3744] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [65, 71] .text C:\Windows\system32\notepad.exe[3744] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 71A5000A .text C:\Windows\system32\notepad.exe[3744] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 71A8000A .text C:\Windows\system32\notepad.exe[3744] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 716C000A .text C:\Windows\system32\notepad.exe[3744] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 7169000A .text C:\Windows\system32\notepad.exe[3744] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text C:\Windows\system32\notepad.exe[3744] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text C:\Windows\system32\notepad.exe[3744] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text C:\Windows\system32\notepad.exe[3744] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text C:\Windows\system32\notepad.exe[3744] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text C:\Windows\system32\notepad.exe[3744] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text C:\Windows\system32\notepad.exe[3744] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text C:\Windows\system32\notepad.exe[3744] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text C:\Windows\system32\notepad.exe[3744] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text C:\Windows\system32\notepad.exe[3744] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text C:\Windows\system32\notepad.exe[3744] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text C:\Windows\system32\notepad.exe[3744] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text C:\Windows\system32\notepad.exe[3744] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text C:\Windows\system32\notepad.exe[3744] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text C:\Windows\system32\notepad.exe[3744] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text C:\Windows\system32\notepad.exe[3744] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text C:\Windows\system32\notepad.exe[3744] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ntdll.dll!NtAcceptConnectPort 77C051E8 3 Bytes [FF, 25, 1E] .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ntdll.dll!NtAcceptConnectPort + 4 77C051EC 2 Bytes [6B, 71] .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ntdll.dll!NtCreateProcess 77C056D8 5 Bytes JMP 01F12DB0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ntdll.dll!NtCreateProcessEx 77C056E8 5 Bytes JMP 01F12D20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ntdll.dll!NtCreateSymbolicLinkObject 77C05748 3 Bytes [FF, 25, 1E] .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ntdll.dll!NtCreateSymbolicLinkObject + 4 77C0574C 2 Bytes [6E, 71] .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CreateProcessW 75FB204D 6 Bytes JMP 01F15780 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CreateProcessA 75FB2082 6 Bytes JMP 01F156E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CopyFileW 75FE6C07 5 Bytes JMP 01F13630 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CopyFileExW 75FEB348 7 Bytes JMP 01F13400 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!LoadLibraryExA 75FF4576 5 Bytes JMP 01F13900 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!LoadLibraryExW 75FF5189 5 Bytes JMP 01F13A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!LoadLibraryA 75FFDD15 6 Bytes JMP 01F136F0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CloseHandle 75FFE918 5 Bytes JMP 01F429B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CreateFileW 75FFE955 5 Bytes JMP 01F42B20 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!LoadLibraryW 75FFEFF2 6 Bytes JMP 01F13880 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CreateProcessInternalW 76000852 5 Bytes JMP 01F140E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CreateProcessInternalA 7600C954 5 Bytes JMP 01F144E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CopyFileA 76016E12 5 Bytes JMP 01F134C0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!CopyFileExA 7603D231 5 Bytes JMP 01F13280 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] kernel32.dll!WinExec + 5 7603F233 6 Bytes JMP 01F13EC0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] USER32.dll!RegisterHotKey 7785AA19 3 Bytes [FF, 25, 1E] .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] USER32.dll!RegisterHotKey + 4 7785AA1D 2 Bytes [83, 71] .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] USER32.dll!ExitWindowsEx 778A06C7 6 Bytes JMP 71A2000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] USER32.dll!DdeClientTransaction 778B323C 6 Bytes JMP 7187000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] GDI32.dll!DeleteDC 761E6EAA 6 Bytes JMP 717B000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] GDI32.dll!BitBlt 761E72C0 6 Bytes JMP 7178000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] GDI32.dll!CreateDCA 761ECCA9 6 Bytes JMP 7181000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] GDI32.dll!CreateDCW 761ECF79 6 Bytes JMP 717E000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ADVAPI32.dll!CreateServiceW 77B470C4 6 Bytes JMP 718A000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ADVAPI32.dll!CreateServiceA 77B63264 6 Bytes JMP 718D000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ADVAPI32.dll!InitiateSystemShutdownW 77B7DC55 6 Bytes JMP 719C000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ADVAPI32.dll!InitiateSystemShutdownExW 77B7DD22 6 Bytes JMP 7196000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ADVAPI32.dll!InitiateSystemShutdownA 77B7DDF7 6 Bytes JMP 719F000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ADVAPI32.dll!InitiateSystemShutdownExA 77B7DE9E 6 Bytes JMP 7199000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] SHELL32.dll!ShellExecuteEx 76AC767A 5 Bytes JMP 01F146D0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] ole32.dll!CoGetClassObject 779554AD 5 Bytes JMP 01F3E640 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!ioctlsocket 76833084 6 Bytes JMP 715A000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!sendto 768334B5 6 Bytes JMP 7160000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!closesocket 76833918 5 Bytes JMP 01F42B00 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!socket 76833EB8 6 Bytes JMP 71AF000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!WSASend 76834406 5 Bytes JMP 01F11650 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!select 76836989 6 Bytes JMP 715D000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!recv 76836B0E 5 Bytes JMP 01F42AD0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!connect 76836BDD 6 Bytes JMP 7169000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!send 76836F01 5 Bytes JMP 01F11470 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!WSARecv 76837089 5 Bytes JMP 01F42A10 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!WSAGetOverlappedResult 76837489 5 Bytes JMP 01F42A40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WS2_32.dll!WSAAsyncSelect 7684B014 6 Bytes JMP 7157000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] IPHLPAPI.DLL!IcmpSendEcho2Ex 727B843C 6 Bytes JMP 7190000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] IPHLPAPI.DLL!IcmpSendEcho2 727B873B 6 Bytes JMP 7193000A .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WININET.dll!HttpOpenRequestW 765A9A50 5 Bytes JMP 01F12F70 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WININET.dll!InternetConnectW 765AC8E0 5 Bytes JMP 01F13010 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WININET.dll!HttpOpenRequestA 7662A450 5 Bytes JMP 01F12E40 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WININET.dll!InternetOpenUrlA 76679610 5 Bytes JMP 01F130B0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll .text E:\Programy\Programy portable\Internet\OperaPortable\App\Opera\opera.exe[3896] WININET.dll!InternetOpenUrlW 7667A0D0 5 Bytes JMP 01F131E0 C:\Program Files\kingsoft\kingsoft antivirus\kswebshield.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs kisknl.sys Device \Driver\tdx \Device\Tcp OAmon.sys Device \Driver\tdx \Device\RawIp6 OAmon.sys Device \Driver\tdx \Device\Tcp6 OAmon.sys Device \Driver\tdx \Device\Tdx OAmon.sys Device \Driver\tdx \Device\Udp OAmon.sys Device \Driver\tdx \Device\RawIp OAmon.sys Device \Driver\tdx \Device\Udp6 OAmon.sys ---- EOF - GMER 2.1 ----