GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-05-13 13:23:27 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e WDC_WD5003AZEX-00MK2A0 rev.01.01A01 465,76GB Running: 8yqxkpci.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pgtdqpow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB46F7F04] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xB46F95D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB46F714A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEvent [0xB46F6220] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateEventPair [0xB46F6278] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB46F7B32] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xB46F8B3A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateMutant [0xB46F61CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreatePort [0xB46F6172] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xB46F784E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0xB46F62CA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB46FA8AC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xB46F6AF4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xB46F82BE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xB46F8534] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xB46F68DE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB46F96EC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB46F9900] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB46FA2B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB46F7422] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xB46FAB7E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xB46F94AA] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB46F7D2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB46F8A1C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xB46F6322] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB46F76D6] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xB46F662E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB46F9A72] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB46F9D26] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xB46F9BA4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB46F9198] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0xB46F80F8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xB46F8840] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB46FA5B2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xB46F8E56] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB46F7398] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xB46F75C2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xB46F6F2A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB46F6CF8] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D14 805045FC 12 Bytes [20, 62, 6F, B4, 78, 62, 6F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 16 Bytes [4E, 78, 6F, B4, CA, 62, 6F, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB712C3C0, 0x83E20A, 0xE8000020] ? System32\Drivers\hiber_WMILIB.SYS System nie może odnaleźć określonej ścieżki. ! ? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[184] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svhost.exe[184] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svhost.exe[184] user32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\svhost.exe[184] user32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svhost.exe[184] user32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svhost.exe[184] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\svhost.exe[184] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svhost.exe[184] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svhost.exe[184] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[200] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\HPSIsvc.exe[200] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\HPSIsvc.exe[200] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\HPSIsvc.exe[200] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[232] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\srvany.exe[232] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\srvany.exe[232] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\srvany.exe[232] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\srvany.exe[232] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\srvany.exe[232] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\srvany.exe[232] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\srvany.exe[232] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\srvany.exe[232] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\srvany.exe[232] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\srvany.exe[232] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\KMService.exe[272] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[272] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\KMService.exe[272] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[272] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\KMService.exe[272] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[272] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\KMService.exe[272] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[272] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\KMService.exe[272] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\KMService.exe[272] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[272] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\KMService.exe[272] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\KMService.exe[272] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\KMService.exe[272] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\KMService.exe[272] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\KMService.exe[272] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\KMService.exe[272] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\KMService.exe[272] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\KMService.exe[272] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\KMService.exe[272] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\KMService.exe[272] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\KMService.exe[272] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [73, 71] {JAE 0x73} .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [70, 71] {JO 0x73} .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [97, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [82, 71] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7180000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7186000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717A000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717D000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7177000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7189000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718C000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7192000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 718F000A .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[280] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[544] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\nvsvc32.exe[544] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\nvsvc32.exe[544] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\nvsvc32.exe[544] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\nvsvc32.exe[544] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\nvsvc32.exe[544] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\nvsvc32.exe[544] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\nvsvc32.exe[544] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\nvsvc32.exe[544] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\nvsvc32.exe[544] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\nvsvc32.exe[544] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[880] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[880] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[880] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 100018F0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[884] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10001D70 C:\WINDOWS\system32\cmdcsr.dll .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\FluxSoftware\Flux\flux.exe[976] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1000] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1000] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1000] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\Explorer.EXE[1000] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\Explorer.EXE[1000] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\Explorer.EXE[1000] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1000] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1000] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[1000] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[1000] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1000] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[1076] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\ctfmon.exe[1076] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\ctfmon.exe[1076] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\ctfmon.exe[1076] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\ctfmon.exe[1076] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\ctfmon.exe[1076] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\ctfmon.exe[1076] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[1076] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[1076] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[1124] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[1124] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[1124] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[1124] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1160] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [99, 71] .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [84, 71] .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[1160] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\lsass.exe[1160] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\lsass.exe[1160] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[1160] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[1160] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[1160] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\WINDOWS\system32\lsass.exe[1160] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[1160] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[1160] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1364] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1364] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1364] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1364] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1444] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1444] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1472] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1472] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1472] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1472] rpcss.dll!WhichService 76A64234 8 Bytes [50, 94, 01, 10, 10, 92, 01, ...] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1568] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 0040E810 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1568] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004B8C30 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1568] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 004B8B40 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1628] RPCRT4.dll!RpcServerRegisterIfEx 77E8CE4B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1628] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1628] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1628] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1628] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1776] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1776] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1776] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1776] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1776] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1776] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1776] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1776] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[1948] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2008] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[2008] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[2008] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[2008] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[2008] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\spoolsv.exe[2008] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[2008] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[2008] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\spoolsv.exe[2008] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[2008] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[2008] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2408] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\WINDOWS\System32\svchost.exe[2408] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\WINDOWS\System32\svchost.exe[2408] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\WINDOWS\System32\svchost.exe[2408] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\WINDOWS\System32\svchost.exe[2408] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\WINDOWS\System32\svchost.exe[2408] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\WINDOWS\System32\svchost.exe[2408] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\WINDOWS\System32\svchost.exe[2408] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[2672] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00431210 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text E:\FF Download\8yqxkpci.exe[2760] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text E:\FF Download\8yqxkpci.exe[2760] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text E:\FF Download\8yqxkpci.exe[2760] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text E:\FF Download\8yqxkpci.exe[2760] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text E:\FF Download\8yqxkpci.exe[2760] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text E:\FF Download\8yqxkpci.exe[2760] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text E:\FF Download\8yqxkpci.exe[2760] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text E:\FF Download\8yqxkpci.exe[2760] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text E:\FF Download\8yqxkpci.exe[2760] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text E:\FF Download\8yqxkpci.exe[2760] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text E:\FF Download\8yqxkpci.exe[2760] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [76, 71] {JBE 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [73, 71] {JAE 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A3, 71] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9A, 71] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [85, 71] .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7183000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7189000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718C000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718F000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7195000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7192000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717D000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7180000A .text C:\Documents and Settings\Administrator\Pulpit\Ping\2014\Katalog 2-50k 2014\PingMaster.exe[2772] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717A000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 5 Bytes JMP 390085A4 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE[3076] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 395E940D C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [78, 71] {JS 0x73} .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [75, 71] {JNZ 0x73} .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[3292] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A5, 71] .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9C, 71] .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [87, 71] .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7185000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718B000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, A4, 01] .text C:\Programy_\AIMP3\AIMP3.exe[3292] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, A4, 01] .text C:\Programy_\AIMP3\AIMP3.exe[3292] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718E000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7191000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7197000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7194000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717F000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7182000A .text C:\Programy_\AIMP3\AIMP3.exe[3292] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717C000A .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[3420] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00431210 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 5 Bytes JMP 390085A4 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Programy_\Microsoft Office\Office14\WINWORD.EXE[3560] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 395E940D C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Programy\notatnik++\notepad++.exe[3612] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Programy\notatnik++\notepad++.exe[3612] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Programy\notatnik++\notepad++.exe[3612] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Programy\notatnik++\notepad++.exe[3612] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Programy\notatnik++\notepad++.exe[3612] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Programy\notatnik++\notepad++.exe[3612] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Programy\notatnik++\notepad++.exe[3612] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Programy\notatnik++\notepad++.exe[3612] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Programy\notatnik++\notepad++.exe[3612] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Programy\notatnik++\notepad++.exe[3612] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Programy\notatnik++\notepad++.exe[3612] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 037B1980 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 020D8F43 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 020D901B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 020DB0B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 01355579 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!CreateWindowExA 7E37E4A9 5 Bytes JMP 01710EF6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3836] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 020D973C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3864] ntdll.dll!NtAllocateVirtualMemory 7C90CF6E 5 Bytes JMP 00402910 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3864] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 004026C0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3864] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 004025D0 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [7A, 71] {JP 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 00BF1980 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01CB5634 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01CB49A0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [9E, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [89, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01A0AAFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 028A23AB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 019E5579 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] USER32.dll!CreateWindowExA 7E37E4A9 5 Bytes JMP 01DA0EF6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7190000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01CB4289 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7196000A .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Program Files\Mozilla Firefox\firefox.exe[4912] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!NtClose 7C90CFEE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!NtClose + 4 7C90CFF2 2 Bytes [AE, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA92 2 Bytes [75, 71] {JNZ 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DAA2 2 Bytes [72, 71] {JB 0x73} .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!LdrUnloadDll 7C916AD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ntdll.dll!LdrUnloadDll + 4 7C916AD9 2 Bytes [A2, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!CreateProcessInternalW 7C8185EC 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!CreateProcessInternalW + 4 7C8185F0 2 Bytes [99, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!MoveFileWithProgressW 7C81E786 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!MoveFileWithProgressW + 4 7C81E78A 2 Bytes [84, 71] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!CopyFileExW 7C826B8A 6 Bytes JMP 7182000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] kernel32.dll!MoveFileWithProgressA 7C835F4E 6 Bytes JMP 7188000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ADVAPI32.dll!LsaClose + 51C 77DD2410 4 Bytes [F0, B0, 01, 10] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] ADVAPI32.dll!LsaClose + 524 77DD2418 4 Bytes [80, B1, 01, 10] .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] USER32.dll!SetWindowsHookExW 7E37820F 6 Bytes JMP 717C000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] USER32.dll!SetWindowsHookExA 7E381211 6 Bytes JMP 717F000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] USER32.dll!SetWinEventHook 7E3817F7 6 Bytes JMP 7179000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 718B000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] GDI32.dll!GetPixel 77F1B74C 6 Bytes JMP 718E000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 7194000A .text C:\Documents and Settings\Administrator\Pulpit\Programy\procexp.exe[5704] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 7191000A ---- User IAT/EAT - GMER 2.2 ---- IAT C:\WINDOWS\system32\svchost.exe[880] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [66044728] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExA] [66044722] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [66044728] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [6604477F] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!SetWindowPlacement] [66603F0E] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!MoveWindow] [66603F52] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!GetWindowPlacement] [66603F30] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!LoadImageW] [660436C6] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!SendMessageW] [66044891] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TrackPopupMenuEx] [66044845] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TrackPopupMenu] [660447FC] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wblind.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!DeferWindowPos] [66603E28] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!GetWindowRect] [66603FB5] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll IAT C:\WINDOWS\Explorer.EXE[1000] @ C:\WINDOWS\Explorer.EXE [USER32.dll!SetWindowPos] [66603F82] C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbhelp.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{026E2336-A6CB-4E14-BFCD-3EF0B35E58F0}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{026E2336-A6CB-4E14-BFCD-3EF0B35E58F0}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Services\CmdAgent\CisConfigs\0\HIPS\SBSettings@SBMode 329563 ---- EOF - GMER 2.2 ----