GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2015-01-23 15:32:22 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00JJA0 rev.05.01C05 74,53GB Running: m57g1hli.exe; Driver: C:\DOCUME~1\AdamX\USTAWI~1\Temp\kwrirfoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xF4BB6E92] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xF4BB8530] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xF4BB60D8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEvent [0xF4BB51AE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEventPair [0xF4BB5206] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xF4BB6AC0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xF4BB7AC6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateMutant [0xF4BB5158] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xF4BB5100] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xF4BB67DC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0xF4BB5258] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xF4BB9534] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xF4BB5A82] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xF4BB724C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xF4BB74C2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xF4BB586C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xF4BB8646] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xF4BB885A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xF4BB8F3A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xF4BB63B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xF4BB9806] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xF4BB8404] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xF4BB6CB8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xF4BB79A8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xF4BB52B0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xF4BB6664] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xF4BB55BC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xF4BB89CC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xF4BB8C80] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xF4BB8AFE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xF4BB80F2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0xF4BB7086] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xF4BB77CC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xF4BB923A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xF4BB7DE2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xF4BB6326] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xF4BB6550] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xF4BB5EB8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xF4BB5C86] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwYieldExecution + 102 804E48AC 12 Bytes [AE, 51, BB, F4, 06, 52, BB, ...] {SCASB ; PUSH ECX; MOV EBX, 0xbb5206f4; HLT ; SHR BYTE [EDX-0x45], 0xf4} .text ntoskrnl.exe!ZwYieldExecution + 13E 804E48E8 16 Bytes [DC, 67, BB, F4, 58, 52, BB, ...] {FSUB QWORD [EDI-0x45]; HLT ; POP EAX; PUSH EDX; MOV EBX, 0xbb9534f4; HLT ; SBB BYTE [EDX-0x45], 0xf4} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9B, 71] .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\TP-LINK\TP-LINK 54M Wireless Client Utility\TWCU.exe[132] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Nero\Tools\InCD\NBHGui.exe[204] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7187000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718A000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Nero\Tools\InCD\InCD.exe[212] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\aaaa\m57g1hli.exe[504] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\aaaa\m57g1hli.exe[504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\aaaa\m57g1hli.exe[504] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\aaaa\m57g1hli.exe[504] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\aaaa\m57g1hli.exe[504] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\aaaa\m57g1hli.exe[504] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\aaaa\m57g1hli.exe[504] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\aaaa\m57g1hli.exe[504] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\aaaa\m57g1hli.exe[504] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\aaaa\m57g1hli.exe[504] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\aaaa\m57g1hli.exe[504] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\aaaa\m57g1hli.exe[504] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\aaaa\m57g1hli.exe[504] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\aaaa\m57g1hli.exe[504] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\csrss.exe[528] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[528] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001D70 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[600] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[600] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[600] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\services.exe[600] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[600] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\services.exe[600] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[600] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[600] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[600] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[600] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[612] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[612] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [99, 71] .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\lsass.exe[612] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\lsass.exe[612] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\lsass.exe[612] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[612] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\lsass.exe[612] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[612] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[612] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[780] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[780] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[848] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[848] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[848] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[848] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[848] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[848] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[848] rpcss.dll!WhichService 76A64234 8 Bytes [F0, 32, 01, 10, B0, 30, 01, ...] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[880] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 004035A0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[880] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004A2C80 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[920] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[920] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[920] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[920] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1068] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Nero\Tools\InCD\InCDSrv.exe[1200] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9B, 71] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1260] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\wbem\unsecapp.exe[1268] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1344] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1344] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1344] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1344] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1344] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1344] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1344] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1344] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1344] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1388] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1400] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1400] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\Explorer.EXE[1400] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\Explorer.EXE[1400] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\Explorer.EXE[1400] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1400] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1400] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1400] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1400] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1400] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1400] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1400] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1492] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1492] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1492] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1492] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\spoolsv.exe[1492] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1492] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1492] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1492] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[1492] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1492] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1492] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\acs.exe[1588] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\acs.exe[1588] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\acs.exe[1588] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\acs.exe[1588] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9B, 71] .text C:\WINDOWS\system32\acs.exe[1588] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 96, 00] .text C:\WINDOWS\system32\acs.exe[1588] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 96, 00] .text C:\WINDOWS\system32\acs.exe[1588] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\acs.exe[1588] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\acs.exe[1588] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\acs.exe[1588] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\acs.exe[1588] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\acs.exe[1588] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\acs.exe[1588] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\acs.exe[1588] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1640] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1640] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1640] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1640] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1640] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1640] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1640] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1640] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9B, 71] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718A000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718D000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7190000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7196000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7193000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7184000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7187000A .text C:\Program Files\Java\jre6\bin\jqs.exe[1700] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\mgabg.exe[1736] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\mgabg.exe[1736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\mgabg.exe[1736] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\mgabg.exe[1736] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\mgabg.exe[1736] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\mgabg.exe[1736] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\mgabg.exe[1736] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\mgabg.exe[1736] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\mgabg.exe[1736] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\mgabg.exe[1736] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\mgabg.exe[1736] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\mgabg.exe[1736] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\mgabg.exe[1736] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\mgabg.exe[1736] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Nero\Tools\InCD\NBHRegInCDSrv.exe[1776] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7C, 71] {JL 0x73} .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [79, 71] {JNS 0x73} .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A3, 71] .text C:\WINDOWS\system32\HPZipm12.exe[1796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\HPZipm12.exe[1796] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPZipm12.exe[1796] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9A, 71] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\HPZipm12.exe[1796] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\HPZipm12.exe[1796] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 7189000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7183000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7186000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7180000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\WINDOWS\system32\HPZipm12.exe[1796] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1828] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1828] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1828] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1828] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1828] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1828] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1828] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1828] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1828] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\PDesk\PDesk.exe[2016] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [80, 71] .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [7D, 71] {JGE 0x73} .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!LdrUnloadDll 7C9171CD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2040] ntdll.dll!LdrUnloadDll + 4 7C9171D1 2 Bytes [A7, 71] .text C:\WINDOWS\system32\RunDll32.exe[2040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\RunDll32.exe[2040] kernel32.dll!CreateProcessInternalW 7C819EA8 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDll32.exe[2040] kernel32.dll!CreateProcessInternalW + 4 7C819EAC 2 Bytes [9E, 71] .text C:\WINDOWS\system32\RunDll32.exe[2040] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\RunDll32.exe[2040] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\RunDll32.exe[2040] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\RunDll32.exe[2040] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\RunDll32.exe[2040] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\RunDll32.exe[2040] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\RunDll32.exe[2040] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\RunDll32.exe[2040] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [A0, 4E, 01, 10] .text C:\WINDOWS\system32\RunDll32.exe[2040] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [30, 4F, 01, 10] .text C:\WINDOWS\system32\RunDll32.exe[2040] Secur32.dll!EncryptMessage 77FEA68D 6 Bytes JMP 718D000A .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2208] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00401210 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\Fastfat \Fat InCDRec.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- EOF - GMER 2.1 ----