GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-13 22:12:39 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250410AS rev.3.AAE 232,88GB Running: 2cdwdmjv.exe; Driver: C:\DOCUME~1\ANRZEJ~1\USTAWI~1\Temp\awdcraow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB8FC6AC4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB92E0E92] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB92550BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB8FC75A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB900D5A0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB92E00D8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB8FD363C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB8FD3688] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB92E0AC0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB8FD3822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB900CF54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB8FD35AA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xB92DF100] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB8FD36CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB8FD35F2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB92E3534] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB8FC7AD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB8FD37DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB8FC8390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB8FC6B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB900DC66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB900DF1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB8FCBB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB900DAD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB900D93C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB8FC6716] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB92E03B0] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB9255574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB8FC6B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB8FCBF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB8FC8E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB8FD3666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB8FD36AA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB92E0CB8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB8FD3846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB900D2B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB8FD35D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB8FCB47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB8FD375A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB8FD361A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB8FCB86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB8FD3800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB9255312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB900D7B7] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB92E2C80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB8FC8CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB900D609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB8FC8842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB9263358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB9263CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB900C597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB8FC6BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB8FC6C5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB8FC820A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0xB92E1086] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xB92E17CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB8FC67B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB8FC6982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB900DD6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB8FC6910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB8FC855A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB8FC86BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB8FC6A0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB8FC8048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB8FC81EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB8FC6CC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB8FC75FE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D14 805045FC 16 Bytes [3C, 36, FD, B8, 88, 36, FD, ...] {CMP AL, 0x36; STD ; MOV EAX, 0xb8fd3688; ROR BYTE [EDX], 0x2e; MOV ECX, 0xb8fd3822} .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 20 Bytes [CC, 36, FD, B8, F2, 35, FD, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E50 80504738 16 Bytes [66, 36, FD, B8, AA, 36, FD, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [F6, 6B, FC, B8, 5C, 6C, FC, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [5A, 85, FC, B8, BC, 86, FC, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL B8FC9549 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe[124] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, F6, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, F6, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[196] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, BA, 00] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, BA, 00] .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7187000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Comodo\Dragon\dragon_updater.exe[240] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7E, 71] {JLE 0x73} .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[248] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A5, 71] .text C:\WINDOWS\RTHDCPL.EXE[248] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\RTHDCPL.EXE[248] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[248] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9C, 71] .text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\RTHDCPL.EXE[248] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\RTHDCPL.EXE[248] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718B000A .text C:\WINDOWS\RTHDCPL.EXE[248] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718E000A .text C:\WINDOWS\RTHDCPL.EXE[248] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7191000A .text C:\WINDOWS\RTHDCPL.EXE[248] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7197000A .text C:\WINDOWS\RTHDCPL.EXE[248] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7194000A .text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7185000A .text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7188000A .text C:\WINDOWS\RTHDCPL.EXE[248] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7182000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 02, 02] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 02, 02] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7183000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7186000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[360] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[380] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe[456] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, F7, 00] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, F7, 00] .text C:\Program Files\D-Link\DWA-140 revB\AirNCFG.exe[460] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[484] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\notepad.exe[484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\notepad.exe[484] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[484] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\notepad.exe[484] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\notepad.exe[484] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\notepad.exe[484] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\notepad.exe[484] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\notepad.exe[484] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\notepad.exe[484] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\notepad.exe[484] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\notepad.exe[484] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[496] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[496] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[496] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\ctfmon.exe[496] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[496] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[496] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\ctfmon.exe[496] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[496] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\ctfmon.exe[496] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[496] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[496] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7184000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Documents and Settings\ANRZEJMAKNAB\Dane aplikacji\uTorrent\uTorrent.exe[520] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[540] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\CCleaner\CCleaner.exe[540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\CCleaner\CCleaner.exe[540] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\CCleaner\CCleaner.exe[540] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Program Files\CCleaner\CCleaner.exe[540] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7184000A .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!SetScrollInfo 7E369056 5 Bytes JMP 00505F4C C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717E000A .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 00505EA8 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00505EDB C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00505E83 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00505E26 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00505E4B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00505F15 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7181000A .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717B000A .text C:\Program Files\CCleaner\CCleaner.exe[540] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 00505F80 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[540] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7187000A .text C:\Program Files\CCleaner\CCleaner.exe[540] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\CCleaner\CCleaner.exe[540] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\CCleaner\CCleaner.exe[540] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe[608] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe[620] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\csrss.exe[752] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[752] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001D70 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[824] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[824] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[824] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\services.exe[824] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[824] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[824] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[824] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\services.exe[824] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[824] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[824] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[824] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[824] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[828] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00422CC0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[836] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[836] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [99, 71] .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\lsass.exe[836] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[836] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[836] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\lsass.exe[836] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[836] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\lsass.exe[836] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[836] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[836] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\COMODO\launcher_service.exe[1032] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1044] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1044] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1044] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1112] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1112] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1112] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1112] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1112] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1112] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1112] rpcss.dll!WhichService 76A64234 8 Bytes [F0, 32, 01, 10, B0, 30, 01, ...] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1208] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 004035A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004A2C80 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1256] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1256] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1256] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1256] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1256] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1256] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1444] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1540] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe[1572] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1576] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1576] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, F7, 00] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, F7, 00] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1672] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1684] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1772] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1772] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1772] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\Explorer.EXE[1772] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\Explorer.EXE[1772] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\Explorer.EXE[1772] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1772] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1772] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1772] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1772] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1772] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1772] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1772] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ANIWConnService.exe[1852] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\ANIWConnService.exe[1852] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\ANIWConnService.exe[1852] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1884] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\spoolsv.exe[1884] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1884] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1884] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1884] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1884] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [71, 71] {JNO 0x73} .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A1, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [98, 71] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717B000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717E000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7178000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1988] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7181000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE[2028] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2140] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[2140] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[2140] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2140] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[2140] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[2140] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[2140] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[2140] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[2140] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[2140] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[2140] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[2140] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[2140] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[2140] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9B, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2740] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3376] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00401210 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3384] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\WINDOWS\System32\alg.exe[3384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\alg.exe[3384] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\alg.exe[3384] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [96, 71] .text C:\WINDOWS\System32\alg.exe[3384] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717F000A .text C:\WINDOWS\System32\alg.exe[3384] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7182000A .text C:\WINDOWS\System32\alg.exe[3384] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717C000A .text C:\WINDOWS\System32\alg.exe[3384] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7188000A .text C:\WINDOWS\System32\alg.exe[3384] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718B000A .text C:\WINDOWS\System32\alg.exe[3384] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7191000A .text C:\WINDOWS\System32\alg.exe[3384] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718E000A .text C:\WINDOWS\System32\alg.exe[3384] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\System32\alg.exe[3384] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\System32\alg.exe[3384] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[3496] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\notepad.exe[3496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\notepad.exe[3496] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[3496] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\notepad.exe[3496] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\notepad.exe[3496] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\notepad.exe[3496] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\notepad.exe[3496] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\notepad.exe[3496] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\notepad.exe[3496] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\notepad.exe[3496] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\notepad.exe[3496] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Documents and Settings\ANRZEJMAKNAB\Moje dokumenty\2cdwdmjv.exe[3504] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[3528] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A1, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [98, 71] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7187000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718D000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7193000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7190000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Documents and Settings\ANRZEJMAKNAB\Pulpit\FRST.exe[3548] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Opera\26.0.1656.60\opera_crashreporter.exe[3880] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3976] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svchost.exe[3976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svchost.exe[3976] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[3976] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\System32\svchost.exe[3976] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\System32\svchost.exe[3976] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\System32\svchost.exe[3976] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svchost.exe[3976] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svchost.exe[3976] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\System32\svchost.exe[3976] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[3976] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\svchost.exe[3976] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svchost.exe[3976] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svchost.exe[3976] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, A0, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, A3, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, A0, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, A1, 2B, 00] {TEST AL, 0xa1; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9101BA .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, A2, 2B, 00] {TEST AL, 0xa2; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, A1, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, A2, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91022B .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, A0, 2B, 00] {TEST AL, 0xa0; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910359 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, A1, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, A2, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, A3, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 036201F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 036203FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4136] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, C0, 30, 00] {SUB AL, AL; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, C3, 30, 00] {SUB BL, AL; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, C0, 30, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, C1, 30, 00] {TEST AL, 0xc1; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9106DA .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, C2, 30, 00] {TEST AL, 0xc2; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, C1, 30, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, C2, 30, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91074B .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, C0, 30, 00] {TEST AL, 0xc0; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910879 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, C1, 30, 00] {SUB CL, AL; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, C2, 30, 00] {SUB DL, AL; XOR [EAX], AL} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, C3, 30, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003F01F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4252] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003F03FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, A4, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, A7, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, A4, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, A5, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, A6, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, A5, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, A6, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, A4, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, A5, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, A6, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, A7, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 037801F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 037803FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4280] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, F4, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, F7, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, F4, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, F5, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED0E .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, F6, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, F5, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, F6, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED7F .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, F4, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEAD .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, F5, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, F6, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, F7, 16, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003F01F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003F03FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4300] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, E0, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, E3, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, E0, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, E1, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, E2, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, E1, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, E2, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, E0, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, E1, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, E2, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, E3, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 037801F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 037803FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4316] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, E0, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, E3, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, E0, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, E1, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, E2, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, E1, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, E2, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, E0, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, E1, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, E2, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, E3, 4A, 03] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 037801F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 037803FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[4340] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, EC, 2B, 00] {SUB AH, CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, EF, 2B, 00] {SUB BH, CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, EC, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, ED, 2B, 00] {TEST AL, 0xed; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B910206 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, EE, 2B, 00] {TEST AL, 0xee; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, ED, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, EE, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B910277 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, EC, 2B, 00] {TEST AL, 0xec; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9103A5 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, ED, 2B, 00] {SUB CH, CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, EE, 2B, 00] {SUB DH, CH; SUB EAX, [EAX]} .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, EF, 2B, 00] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 036201F8 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 036203FC .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] KERNEL32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] KERNEL32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Program Files\Opera\26.0.1656.60\opera.exe[5020] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[5956] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\notepad.exe[5956] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\notepad.exe[5956] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\notepad.exe[5956] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\notepad.exe[5956] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\notepad.exe[5956] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\notepad.exe[5956] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\notepad.exe[5956] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\notepad.exe[5956] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\notepad.exe[5956] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\notepad.exe[5956] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\notepad.exe[5956] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[824] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[824] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----