GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2004-07-29 13:26:01 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP1213N rev.TL100-24 111,82GB Running: 6j19clnw.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\pgliqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0xB2F804EE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwClose [0xB2F8187E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwConnectPort [0xB2F7F79E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateFile [0xB2F8011C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateKey [0xB2F80EC2] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSection [0xB2F7FEAE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0xB2F82882] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwCreateThread [0xB2F7F148] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteKey [0xB2F806EE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDeleteValueKey [0xB2F8094C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwDuplicateObject [0xB2F7EF32] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateKey [0xB2F81994] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwEnumerateValueKey [0xB2F81BA8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwLoadDriver [0xB2F82288] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0xB2F7FA82] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeKey [0xB2F82B54] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwNotifyChangeMultipleKeys [0xB2F81752] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenFile [0xB2F80314] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenKey [0xB2F80DB0] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenProcess [0xB2F7EB38] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenSection [0xB2F7FD36] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwOpenThread [0xB2F7ED50] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryKey [0xB2F81D1A] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryMultipleValueKey [0xB2F81FCE] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwQueryValueKey [0xB2F81E4C] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwRenameKey [0xB2F814A8] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSecurityObject [0xB2F80BD4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0xB2F82588] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSetValueKey [0xB2F811E4] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwShutdownSystem [0xB2F7F9EC] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0xB2F7FC22] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateProcess [0xB2F7F57E] SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys ZwTerminateThread [0xB2F7F34C] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[456] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[456] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[456] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[456] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[456] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[456] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[456] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\csrss.exe[632] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 5 Bytes JMP 100015D0 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\csrss.exe[632] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 5 Bytes JMP 10001A50 C:\WINDOWS\system32\cmdcsr.dll .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[704] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\services.exe[704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\services.exe[704] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[704] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\services.exe[704] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\services.exe[704] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\services.exe[704] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\services.exe[704] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\services.exe[704] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\services.exe[704] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\services.exe[704] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\services.exe[704] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6F, 71] .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[716] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A2, 71] .text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AA0001 .text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719A000A .text C:\WINDOWS\system32\lsass.exe[716] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7197000A .text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718E000A .text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7194000A .text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[716] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [90, 71] .text C:\WINDOWS\system32\lsass.exe[716] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 7179000A .text C:\WINDOWS\system32\lsass.exe[716] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 717C000A .text C:\WINDOWS\system32\lsass.exe[716] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 7176000A .text C:\WINDOWS\system32\lsass.exe[716] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717F000A .text C:\WINDOWS\system32\lsass.exe[716] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7182000A .text C:\WINDOWS\system32\lsass.exe[716] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7188000A .text C:\WINDOWS\system32\lsass.exe[716] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7185000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[872] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[872] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\Ati2evxx.exe[872] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[872] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[872] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[892] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[892] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[892] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[892] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[892] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[892] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[892] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[892] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[892] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[976] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[976] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[976] rpcss.dll!WhichService 76A63C84 8 Bytes [D0, 2F, 01, 10, 90, 2D, 01, ...] .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1076] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 00401ED0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1076] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 00441820 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1132] RPCRT4.dll!RpcServerRegisterIfEx 77E8E05B 6 Bytes JMP 7190000A .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1132] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1248] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1248] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\svchost.exe[1388] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 018C9CF0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01E7542B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01E75408 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 018D369E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01E75389 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\firefox.exe[1508] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1596] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\spoolsv.exe[1596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\spoolsv.exe[1596] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\spoolsv.exe[1596] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\spoolsv.exe[1596] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\spoolsv.exe[1596] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\spoolsv.exe[1596] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\spoolsv.exe[1596] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\spoolsv.exe[1596] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1596] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\system32\spoolsv.exe[1596] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\spoolsv.exe[1596] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\spoolsv.exe[1596] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\spoolsv.exe[1596] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\spoolsv.exe[1596] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\spoolsv.exe[1596] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\spoolsv.exe[1596] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\system32\Ati2evxx.exe[1648] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\Ati2evxx.exe[1648] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1744] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\Explorer.EXE[1744] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\Explorer.EXE[1744] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[1744] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\Explorer.EXE[1744] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\Explorer.EXE[1744] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\Explorer.EXE[1744] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\Explorer.EXE[1744] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\Explorer.EXE[1744] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\Explorer.EXE[1744] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\Explorer.EXE[1744] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1988] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2008] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\WINDOWS\SOUNDMAN.EXE[2040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\WINDOWS\SOUNDMAN.EXE[2040] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\WINDOWS\SOUNDMAN.EXE[2040] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\SOUNDMAN.EXE[2040] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] .text C:\Program Files\COMODO\COMODO Internet Security\cis.exe[2208] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 004036C0 C:\Program Files\COMODO\COMODO Internet Security\cis.exe .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [6D, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [6A, 71] {PUSH 0x71} .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A3, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719B000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 7198000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 27, 01] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 27, 01] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 718F000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7195000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [91, 71] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717A000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7183000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 7189000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 7186000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] USER32.dll!GetWindowInfo 7E36DE7C 5 Bytes JMP 10775238 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 7174000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7177000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 7171000A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2416] USER32.dll!GetMenuContextHelpId + 1A 7E3B5269 7 Bytes JMP 10775811 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[2568] ntdll.dll!NtAllocateVirtualMemory 7C90CF50 5 Bytes JMP 00401000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!NtClose 7C90CFD0 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!NtClose + 4 7C90CFD4 2 Bytes [AE, 71] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!NtReplyWaitReceivePort 7C90DA70 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!NtReplyWaitReceivePort + 4 7C90DA74 2 Bytes [77, 71] {JA 0x73} .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA80 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!NtReplyWaitReceivePortEx + 4 7C90DA84 2 Bytes [74, 71] {JZ 0x73} .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!LdrUnloadDll 7C91736B 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ntdll.dll!LdrUnloadDll + 4 7C91736F 2 Bytes [A7, 71] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 719F000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 719C000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] USER32.dll!SetWindowsHookExW 7E37E4BF 6 Bytes JMP 717E000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] USER32.dll!SetWindowsHookExA 7E381201 6 Bytes JMP 7181000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] USER32.dll!SetWinEventHook 7E3817E7 6 Bytes JMP 717B000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 7184000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] GDI32.dll!GetPixel 77F1B73C 6 Bytes JMP 7187000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] GDI32.dll!CreateDCA 77F1B7C2 6 Bytes JMP 718D000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] GDI32.dll!CreateDCW 77F1BE28 6 Bytes JMP 718A000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ADVAPI32.dll!LsaClose + 508 77DD23EC 4 Bytes [70, 46, 01, 10] {JO 0x48; ADD [EAX], EDX} .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ADVAPI32.dll!LsaClose + 510 77DD23F4 4 Bytes [00, 47, 01, 10] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ADVAPI32.dll!CreateProcessAsUserW 77DDA889 6 Bytes JMP 7193000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ADVAPI32.dll!CreateProcessAsUserA 77E00C80 6 Bytes JMP 7199000A .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ADVAPI32.dll!CreateProcessWithLogonW 77E05FD5 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\User\Moje dokumenty\Pobieranie\6j19clnw.exe[2636] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E05FD9 2 Bytes [95, 71] ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----