Mededeling

Collapse
No announcement yet.

PUM.Hijack.HomepageControl

Collapse
X
  •  
  • Filter
  • Tijd
  • Show
Clear All
new posts

  • PUM.Hijack.HomepageControl

    Hoi,

    Zo af en toe doe ik een volledige scan met MBAM.
    Zo ook vanochtend en toen werd bovenstaande malware gevonden. Heb het gelijk verwijderd en ook nog ADWcleaner gedraaid. Die vond het ook (heb de log nog).

    Nu doet de pc de laatste tijd weer even raar: krijg heel vaak de mededeling dat de website of applicatie niet reageert.
    Nu weet ik natuurlijk niet zeker of dit hierdoor wordt veroorzaakt, maar zou wel graag willen weten of de malware nu echt helemaal van de pc is verdwenen.

    Zouden jullie even naar de logs willen kijken en advies geven?

    Alvast dank!

    Hier dan de logs:


    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Databaseversie: v2013.10.07.07

    Windows Vista Service Pack 2 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Ingrid :: PC_VAN_INGRID [administrator]

    7-10-2013 15:23:24
    mbam-log-2013-10-07 (15-23-24).txt

    Scan type: Snelle scan
    Ingeschakelde scan opties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM | P2P
    Uitgeschakelde scan opties:
    Objecten gescand: 244474
    Verstreken tijd: 18 minuut/minuten, 29 seconde(n)

    Geheugenprocessen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Geheugenmodulen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registersleutels gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registerwaarden gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Registerdata gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Mappen gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    Bestanden gedetecteerd: 0
    (Geen kwaadaardige objecten gedetecteerd)

    (einde)


    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16506 BrowserJavaVersion: 10.40.2
    Run by Ingrid at 15:45:01 on 2013-10-07
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.31.1043.18.894.314 [GMT 2:00]
    .
    AV: COMODO Antivirus *Enabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: COMODO Antivirus *Enabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Windows\system32\SLsvc.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\HitmanPro.Alert\hmpalert.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
    C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Secunia\PSI\PSIA.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Secunia\PSI\sua.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\EMET 4.0\EMET_Agent.exe
    C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
    C:\Program Files\Real\realplayer\Update\realsched.exe
    C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    C:\Program Files\Comodo\COMODO Internet Security\cis.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Windows Mail\WinMail.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\sdclt.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.nu.nl/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=71&bd=Presario&pf=desktop
    uURLSearchHooks: {472734EA-242A-422b-ADF8-83D1E48CC825} - <orphaned>
    BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Advanced SystemCare Browser Protection: {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - c:\program files\iobit\advanced systemcare 6\browerprotect\ASCPlugin_Protection.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
    TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [EMET Agent] "c:\program files\emet 4.0\EMET_agent.exe"
    mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: Google Sidewiki... - <no file>
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 192.168.1.254
    TCP: Interfaces\{1ED079DF-F8E1-4697-9BBF-E2AA44ACA00F} : DHCPNameServer = 192.168.1.254
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Handler: wot - <Clsid value has no data>
    SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MxEFUF;Matrox Extio Upper Function Filter;c:\windows\system32\drivers\MxEFUF32.sys [2012-4-2 102728]
    R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-1-24 239168]
    R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-1-24 338880]
    R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-1-24 656320]
    R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-10-7 22056]
    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-6-18 20072]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2013-7-8 584496]
    R1 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\drivers\ImmunetProtect.sys [2011-6-17 47696]
    R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\drivers\ImmunetSelfProtect.sys [2011-6-17 32080]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
    R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-10-7 4153784]
    R2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\iobit\advanced systemcare 6\ASCService.exe [2012-10-22 574272]
    R2 hmpalert;HitmanPro.Alert Support Driver;c:\windows\system32\drivers\hmpalert.sys [2013-7-6 14376]
    R2 hmpalertsvc;HitmanPro.Alert Service;c:\program files\hitmanpro.alert\hmpalert.exe [2013-7-6 1830768]
    R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2013-3-4 45824]
    R2 rsdsys;rsd protect;c:\windows\system32\drivers\protreg.sys [2012-8-11 19712]
    R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-12-7 21504]
    R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2013-3-4 56960]
    R3 PGR1394b;HS 3d Sensor IEEE 1394 Bus host controllers;c:\windows\system32\drivers\HS3dSensor1394.sys [2012-3-18 72704]
    R3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2013-7-3 16024]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
    S2 gupdate1c95be95f058815;Google Update Service (gupdate1c95be95f058815);c:\program files\google\update\GoogleUpdate.exe [2008-12-12 133104]
    S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-10-7 57944]
    S3 cleanhlp;cleanhlp;c:\program files\emsisoft anti-malware\cleanhlp32.sys [2013-7-3 50200]
    S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-6-18 131288]
    S3 hcdriver;EHCI Compliance Test Tool Device Driver;c:\windows\system32\drivers\hcdriver.sys [2012-3-23 50688]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
    S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-4-2 13464]
    .
    =============== Created Last 30 ================
    .
    2013-10-07 09:34:58 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2013-10-06 04:21:42 -------- d-----w- C:\AdwCleaner
    2013-09-25 03:33:10 2516 ----a-w- c:\windows\system32\drivers\fvstore.dat
    2013-09-19 13:17:46 -------- d--h--w- C:\VTRoot
    2013-09-19 12:37:19 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
    2013-09-19 12:31:44 -------- d-s---w- c:\programdata\Shared Space
    2013-09-19 12:29:29 1700352 ----a-w- c:\windows\system32\gdiplus.dll
    2013-09-19 12:27:11 -------- d-----w- c:\programdata\COMODO
    2013-09-19 12:25:25 -------- d-----w- c:\users\ingrid\appdata\local\Comodo
    2013-09-19 12:25:10 47368 ----a-w- c:\windows\system32\certsentry.dll
    2013-09-19 12:24:52 -------- d-----w- c:\program files\Comodo
    2013-09-19 12:24:39 -------- d-----w- c:\programdata\Comodo Downloader
    2013-09-17 16:01:05 7328304 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e93e8d26-323c-48b4-861f-20660719967c}\mpengine.dll
    2013-09-13 03:02:50 615936 ----a-w- c:\windows\system32\themeui.dll
    2013-09-13 03:02:44 2049536 ----a-w- c:\windows\system32\win32k.sys
    2013-09-12 09:11:27 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
    2013-09-11 15:38:09 -------- d-----w- c:\programdata\Oracle
    2013-09-11 15:38:02 -------- d-----w- c:\program files\common files\Java(0)
    .
    ==================== Find3M ====================
    .
    2013-10-04 11:01:58 13464 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2013-09-24 10:54:03 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2013-09-24 10:54:02 584496 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2013-09-24 10:54:01 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2013-09-24 10:53:51 36000 ----a-w- c:\windows\system32\cmdcsr.dll
    2013-09-24 10:53:51 354240 ----a-w- c:\windows\system32\guard32.dll
    2013-09-24 10:53:35 280792 ----a-w- c:\windows\system32\cmdvrt32.dll
    2013-09-24 10:53:34 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
    2013-09-19 16:35:50 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-09-19 16:35:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-09-12 09:12:03 868264 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-09-12 09:12:03 790440 ----a-w- c:\windows\system32\deployJava1.dll
    2013-08-07 19:47:24 564312 ----a-w- c:\windows\system32\hmpalert.dll
    2013-08-07 19:47:24 14376 ----a-w- c:\windows\system32\drivers\hmpalert.sys
    2013-08-07 02:22:04 238872 ------w- c:\windows\system32\MpSigStub.exe
    2013-08-02 04:09:35 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
    2013-07-31 10:00:20 1800704 ----a-w- c:\windows\system32\jscript9.dll
    2013-07-31 09:52:44 1129472 ----a-w- c:\windows\system32\wininet.dll
    2013-07-31 09:52:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-07-31 09:48:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2013-07-31 09:48:09 420864 ----a-w- c:\windows\system32\vbscript.dll
    2013-07-31 09:45:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2013-07-17 19:41:34 2048 ----a-w- c:\windows\system32\tzres.dll
    2013-07-10 09:47:00 783360 ----a-w- c:\windows\system32\rpcrt4.dll
    .
    ============= FINISH: 15:47:11,44 ===============

  • #2
    GMER 2.1.19163 - http://www.gmer.net
    Rootkit scan 2013-10-07 17:02:34
    Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\0000005c WDC_WD32 rev.12.0 298,09GB
    Running: zp1vdp66.exe; Driver: C:\Users\Ingrid\AppData\Local\Temp\agdiqkog.sys


    ---- System - GMER 2.1 ----

    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8FC1A4E2]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8FC1A6D6]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8FC19792]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8FC1A110]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwCreateProcess [0x86A10F68]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwCreateProcessEx [0x86A11230]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8FC19EA2]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8FC1B296]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8FC1913C]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8FC1AC9C]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8FC19A76]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8FC1A308]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8FC19D2A]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8FC1AF9C]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8FC199E0]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8FC19C16]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwTerminateProcess [0x86A109D8]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8FC19340]
    SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8FC1A920]
    SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwCreateUserProcess [0x86A1152C]

    ---- Kernel code sections - GMER 2.1 ----

    .text ntkrnlpa.exe!KeSetEvent + 119 85EE1764 4 Bytes [E2, A4, C1, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 13D 85EE1788 4 Bytes [D6, A6, C1, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 1C1 85EE180C 4 Bytes [92, 97, C1, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 1D9 85EE1824 4 Bytes [10, A1, C1, 8F]
    .text ntkrnlpa.exe!KeSetEvent + 209 85EE1854 3 Bytes [68, 0F, A1]
    .text ...
    ? C:\Users\Ingrid\AppData\Local\Temp\mbr.sys Het systeem kan het opgegeven bestand niet vinden. !

    ---- User code sections - GMER 2.1 ----

    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\Windows Mail\WinMail.exe[368] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
    .text C:\Program Files\Windows Mail\WinMail.exe[368] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\taskeng.exe[424] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\taskeng.exe[424] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
    .text C:\Windows\system32\taskeng.exe[424] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
    .text C:\Windows\system32\taskeng.exe[424] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
    .text C:\Windows\system32\taskeng.exe[424] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
    .text C:\Windows\system32\taskeng.exe[424] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
    .text C:\Windows\system32\taskeng.exe[424] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
    .text C:\Windows\system32\taskeng.exe[424] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
    .text C:\Windows\system32\taskeng.exe[424] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
    .text C:\Windows\system32\taskeng.exe[424] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
    .text C:\Windows\system32\taskeng.exe[424] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
    .text C:\Windows\system32\taskeng.exe[424] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
    .text C:\Windows\system32\taskeng.exe[424] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
    .text C:\Windows\system32\taskeng.exe[424] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\svchost.exe[504] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\svchost.exe[504] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
    .text C:\Windows\system32\svchost.exe[504] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
    .text C:\Windows\system32\svchost.exe[504] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
    .text C:\Windows\system32\svchost.exe[504] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
    .text C:\Windows\system32\svchost.exe[504] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
    .text C:\Windows\system32\svchost.exe[504] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
    .text C:\Windows\system32\svchost.exe[504] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
    .text C:\Windows\system32\svchost.exe[504] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
    .text C:\Windows\system32\svchost.exe[504] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
    .text C:\Windows\system32\svchost.exe[504] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
    .text C:\Windows\system32\svchost.exe[504] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
    .text C:\Windows\system32\svchost.exe[504] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
    .text C:\Windows\system32\svchost.exe[504] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\sdclt.exe[516] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Windows\system32\sdclt.exe[516] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
    .text C:\Windows\system32\sdclt.exe[516] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
    .text C:\Windows\system32\sdclt.exe[516] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
    .text C:\Windows\system32\sdclt.exe[516] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
    .text C:\Windows\system32\sdclt.exe[516] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
    .text C:\Windows\system32\sdclt.exe[516] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
    .text C:\Windows\system32\sdclt.exe[516] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
    .text C:\Windows\system32\sdclt.exe[516] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
    .text C:\Windows\system32\sdclt.exe[516] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
    .text C:\Windows\system32\sdclt.exe[516] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
    .text C:\Windows\system32\sdclt.exe[516] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
    .text C:\Windows\system32\sdclt.exe[516] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
    .text C:\Windows\system32\sdclt.exe[516] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
    .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[692] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
    .text C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe[824] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
    .text C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe[824] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
    .text C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe[824] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe[824] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}

    Comment


    • #3
      .text C:\Windows\system32\conime.exe[1672] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Windows\system32\conime.exe[1672] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\conime.exe[1672] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\conime.exe[1672] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Windows\system32\conime.exe[1672] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Windows\system32\conime.exe[1672] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Windows\system32\conime.exe[1672] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Windows\system32\conime.exe[1672] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Windows\system32\conime.exe[1672] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\conime.exe[1672] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Windows\system32\conime.exe[1672] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Windows\system32\conime.exe[1672] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Windows\system32\conime.exe[1672] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Windows\system32\conime.exe[1672] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Windows\system32\conime.exe[1672] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Windows\system32\conime.exe[1672] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[1716] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\Comodo\COMODO Internet Security\cistray.exe[1868] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Comodo\COMODO Internet Security\cistray.exe[1868] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Comodo\COMODO Internet Security\cistray.exe[1868] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[1936] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1940] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Program Files\Google\Update\GoogleUpdate.exe[2124] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\SearchIndexer.exe[2164] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\SearchIndexer.exe[2164] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Windows\system32\SearchIndexer.exe[2164] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\taskeng.exe[2224] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\taskeng.exe[2224] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Windows\system32\taskeng.exe[2224] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Windows\system32\taskeng.exe[2224] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Windows\system32\taskeng.exe[2224] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Windows\system32\taskeng.exe[2224] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Windows\system32\taskeng.exe[2224] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\taskeng.exe[2224] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Windows\system32\taskeng.exe[2224] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Windows\system32\taskeng.exe[2224] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Windows\system32\taskeng.exe[2224] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Windows\system32\taskeng.exe[2224] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Windows\system32\taskeng.exe[2224] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Windows\system32\taskeng.exe[2224] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\taskeng.exe[2248] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\taskeng.exe[2248] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Windows\system32\taskeng.exe[2248] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Windows\system32\taskeng.exe[2248] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Windows\system32\taskeng.exe[2248] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Windows\system32\taskeng.exe[2248] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Windows\system32\taskeng.exe[2248] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\taskeng.exe[2248] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Windows\system32\taskeng.exe[2248] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Windows\system32\taskeng.exe[2248] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Windows\system32\taskeng.exe[2248] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Windows\system32\taskeng.exe[2248] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Windows\system32\taskeng.exe[2248] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Windows\system32\taskeng.exe[2248] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Program Files\Secunia\PSI\PSIA.exe[2504] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\svchost.exe[2572] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Windows\system32\svchost.exe[2572] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Windows\system32\svchost.exe[2572] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Windows\system32\svchost.exe[2572] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Windows\system32\svchost.exe[2572] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Windows\system32\svchost.exe[2572] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Windows\system32\svchost.exe[2572] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Windows\system32\svchost.exe[2572] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
      .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2796] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
      .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A

      Comment


      • #4
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] kernel32.dll!SetUnhandledExceptionFilter 759EA8B5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
        .text C:\Program Files\Real\realplayer\Update\realsched.exe[3076] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
        .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3156] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3156] ntdll.dll!NtCreateFile 77164264 5 Bytes JMP 001D1000 C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
        .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3156] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3156] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
        .text C:\Users\Ingrid\Desktop\zp1vdp66.exe[3332] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Windows\system32\Dwm.exe[3572] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Windows\system32\Dwm.exe[3572] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
        .text C:\Windows\system32\Dwm.exe[3572] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
        .text C:\Windows\system32\Dwm.exe[3572] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Windows\system32\Dwm.exe[3572] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
        .text C:\Windows\system32\Dwm.exe[3572] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
        .text C:\Windows\system32\Dwm.exe[3572] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
        .text C:\Windows\system32\Dwm.exe[3572] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
        .text C:\Windows\system32\Dwm.exe[3572] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
        .text C:\Windows\system32\Dwm.exe[3572] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
        .text C:\Windows\system32\Dwm.exe[3572] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
        .text C:\Windows\system32\Dwm.exe[3572] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
        .text C:\Windows\system32\Dwm.exe[3572] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
        .text C:\Windows\system32\Dwm.exe[3572] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Windows\Explorer.EXE[3652] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Windows\Explorer.EXE[3652] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
        .text C:\Windows\Explorer.EXE[3652] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
        .text C:\Windows\Explorer.EXE[3652] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Windows\Explorer.EXE[3652] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
        .text C:\Windows\Explorer.EXE[3652] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
        .text C:\Windows\Explorer.EXE[3652] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
        .text C:\Windows\Explorer.EXE[3652] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
        .text C:\Windows\Explorer.EXE[3652] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
        .text C:\Windows\Explorer.EXE[3652] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
        .text C:\Windows\Explorer.EXE[3652] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
        .text C:\Windows\Explorer.EXE[3652] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
        .text C:\Windows\Explorer.EXE[3652] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
        .text C:\Windows\Explorer.EXE[3652] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [78, 71] {JS 0x73}
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtMapViewOfSection 771649B4 5 Bytes JMP 63324BFA C:\Windows\AppPatch\EMET.DLL
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!NtUnmapViewOfSection 77165464 5 Bytes JMP 63324BD2 C:\Windows\AppPatch\EMET.DLL
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ntdll.dll!LdrHotPatchRoutine 7718D166 7 Bytes JMP 37150500
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateProcessW 759C1BF3 7 Bytes JMP 37151000
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateProcessA 759C1C28 7 Bytes JMP 37150F00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!WriteProcessMemory 759C1CB8 6 Bytes JMP 37151400
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!VirtualProtect 759C1DC3 8 Bytes JMP 37150600
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateFileMappingW 759E1170 8 Bytes JMP 37151900
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateFileMappingA 759E2346 8 Bytes JMP 37151800
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateProcessInternalW 759E5467 10 Bytes JMP 37151200
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateProcessInternalA 759E8C15 10 Bytes JMP 37151100
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!LoadLibraryExW 759E926C 7 Bytes JMP 37150B00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!LoadLibraryW 759E93F0 7 Bytes JMP 37150900
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!LoadLibraryExA 759E9544 8 Bytes JMP 37150A00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!LoadLibraryA 759E956C 9 Bytes JMP 37150800
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!HeapCreate 759E9D9B 8 Bytes JMP 37150E00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!VirtualProtectEx 759EDC3A 6 Bytes JMP 37150700
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!MapViewOfFile 75A06AD0 7 Bytes JMP 37151A00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!MapViewOfFileEx 75A0AA81 7 Bytes JMP 37151B00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!VirtualAllocEx 75A0AEFC 1 Byte [E9]
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!VirtualAllocEx 75A0AEFC 9 Bytes JMP 37150D00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!VirtualAlloc 75A0AF55 8 Bytes JMP 37150C00
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateFileW 75A0B0CB 8 Bytes JMP 37151700
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateThread 75A0CB0E 5 Bytes JMP 6C9875E3 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateRemoteThread 75A0CB35 7 Bytes JMP 37151300
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateRemoteThread + 8 75A0CB3D 2 Bytes [CC, CC] {INT 3 ; INT 3 }
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!CreateFileA 75A0D05F 8 Bytes JMP 37151600
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] kernel32.dll!WinExec 75A5614F 11 Bytes JMP 37151500
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7197000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7191000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7194000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7182000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 6C9C25B4 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!CallNextHookEx 766B8E3B 5 Bytes JMP 6C9E7FF9 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!UnhookWindowsHookEx 766B98DB 5 Bytes JMP 6CA0ED20 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717C000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!EnableWindow 766BCD8B 5 Bytes JMP 6C9C9EBC C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!DefWindowProcA 766BDB88 7 Bytes JMP 6C98980D C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!CreateWindowExA 766BDC2A 5 Bytes JMP 6C993643 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!CreateWindowExW 766C1305 5 Bytes JMP 6C9F03E7 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!DefWindowProcW 766D03B4 7 Bytes JMP 6C9E805C C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!DialogBoxParamW 766E10B0 5 Bytes JMP 6C92189B C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!DialogBoxIndirectParamW 766E2EF5 5 Bytes JMP 6CB19179 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!DialogBoxParamA 766F8152 5 Bytes JMP 6CB19114 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!DialogBoxIndirectParamA 766F847D 5 Bytes JMP 6CB191DE C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!MessageBoxIndirectA 7670D4D9 5 Bytes JMP 6CB1909B C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!MessageBoxIndirectW 7670D5D3 5 Bytes JMP 6CB19022 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!MessageBoxExA 7670D639 5 Bytes JMP 6CB18FBE C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] USER32.dll!MessageBoxExW 7670D65D 5 Bytes JMP 6CB18F57 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7185000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718B000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718E000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7188000A
        .text C:\Program Files\Internet Explorer\iexplore.exe[3944] ole32.dll!OleLoadFromStream 76971E80 5 Bytes JMP 6CB19947 C:\Windows\system32\IEFRAME.dll
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
        .text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[4008] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
        .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A

        Comment


        • #5
          .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe[4056] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\csrss.exe[4436] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 5 Bytes JMP 756F2270 C:\WINDOWS\system32\cmdcsr.dll
          .text C:\Windows\system32\csrss.exe[4436] ntdll.dll!NtReplyWaitReceivePort 77164F94 5 Bytes JMP 756F1970 C:\WINDOWS\system32\cmdcsr.dll
          .text C:\Windows\system32\csrss.exe[4436] ntdll.dll!NtReplyWaitReceivePortEx 77164FA4 5 Bytes JMP 756F1DF0 C:\WINDOWS\system32\cmdcsr.dll
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe[4496] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Windows\system32\csrss.exe[4504] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 5 Bytes JMP 756F2270 C:\WINDOWS\system32\cmdcsr.dll
          .text C:\Windows\system32\csrss.exe[4504] ntdll.dll!NtReplyWaitReceivePort 77164F94 5 Bytes JMP 756F1970 C:\WINDOWS\system32\cmdcsr.dll
          .text C:\Windows\system32\csrss.exe[4504] ntdll.dll!NtReplyWaitReceivePortEx 77164FA4 5 Bytes JMP 756F1DF0 C:\WINDOWS\system32\cmdcsr.dll
          .text C:\Windows\system32\services.exe[4544] services.exe 00FC1628 4 Bytes [E0, 43, 01, 10] {LOOPNZ 0x45; ADD [EAX], EDX}
          .text C:\Windows\system32\services.exe[4544] services.exe 00FC1638 4 Bytes [C0, 47, 01, 10] {ROL BYTE [EDI+0x1], 0x10}
          .text C:\Windows\system32\services.exe[4544] services.exe 00FC1658 4 Bytes [40, 41, 01, 10] {INC EAX; INC ECX; ADD [EAX], EDX}
          .text C:\Windows\system32\services.exe[4544] services.exe 00FC1668 4 Bytes [E0, 45, 01, 10] {LOOPNZ 0x47; ADD [EAX], EDX}
          .text C:\Windows\system32\services.exe[4544] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\services.exe[4544] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\services.exe[4544] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [77, 71] {JA 0x73}
          .text C:\Windows\system32\services.exe[4544] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\services.exe[4544] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\services.exe[4544] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\services.exe[4544] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\services.exe[4544] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\services.exe[4544] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\services.exe[4544] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\services.exe[4544] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\services.exe[4544] RPCRT4.dll!RpcServerRegisterIfEx 75907A2C 6 Bytes JMP 7190000A
          .text C:\Windows\system32\services.exe[4544] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7181000A
          .text C:\Windows\system32\services.exe[4544] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717E000A
          .text C:\Windows\system32\services.exe[4544] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717B000A
          .text C:\Windows\system32\services.exe[4544] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7184000A
          .text C:\Windows\system32\services.exe[4544] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718A000A
          .text C:\Windows\system32\services.exe[4544] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718D000A
          .text C:\Windows\system32\services.exe[4544] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7187000A
          .text C:\Windows\system32\lsass.exe[4612] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\lsass.exe[4612] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\lsass.exe[4612] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
          .text C:\Windows\system32\lsass.exe[4612] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\lsass.exe[4612] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\lsass.exe[4612] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\lsass.exe[4612] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\lsass.exe[4612] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\lsass.exe[4612] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\lsass.exe[4612] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\lsass.exe[4612] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\lsass.exe[4612] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
          .text C:\Windows\system32\lsass.exe[4612] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
          .text C:\Windows\system32\lsass.exe[4612] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Windows\system32\lsass.exe[4612] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
          .text C:\Windows\system32\lsass.exe[4612] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Windows\system32\lsass.exe[4612] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Windows\system32\lsass.exe[4612] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Windows\system32\lsm.exe[4620] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\lsm.exe[4620] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\lsm.exe[4620] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
          .text C:\Windows\system32\lsm.exe[4620] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\lsm.exe[4620] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\lsm.exe[4620] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\lsm.exe[4620] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\lsm.exe[4620] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\lsm.exe[4620] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\lsm.exe[4620] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\lsm.exe[4620] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\lsm.exe[4620] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
          .text C:\Windows\system32\lsm.exe[4620] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
          .text C:\Windows\system32\lsm.exe[4620] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Windows\system32\lsm.exe[4620] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
          .text C:\Windows\system32\lsm.exe[4620] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Windows\system32\lsm.exe[4620] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Windows\system32\lsm.exe[4620] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Windows\system32\svchost.exe[4768] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\svchost.exe[4768] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\svchost.exe[4768] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [77, 71] {JA 0x73}
          .text C:\Windows\system32\svchost.exe[4768] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\svchost.exe[4768] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\svchost.exe[4768] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\svchost.exe[4768] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\svchost.exe[4768] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\svchost.exe[4768] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\svchost.exe[4768] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\svchost.exe[4768] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\svchost.exe[4768] RPCRT4.dll!RpcServerRegisterIfEx 75907A2C 6 Bytes JMP 7190000A
          .text C:\Windows\system32\svchost.exe[4768] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7181000A
          .text C:\Windows\system32\svchost.exe[4768] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717E000A
          .text C:\Windows\system32\svchost.exe[4768] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717B000A
          .text C:\Windows\system32\svchost.exe[4768] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7184000A
          .text C:\Windows\system32\svchost.exe[4768] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718A000A
          .text C:\Windows\system32\svchost.exe[4768] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718D000A
          .text C:\Windows\system32\svchost.exe[4768] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7187000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [74, 71] {JZ 0x73}
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7181000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 717E000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717B000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 7178000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Program Files\IObit\Advanced SystemCare 6\ASCService.exe[4808] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [74, 71] {JZ 0x73}
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7181000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 717E000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717B000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 7178000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Program Files\Emsisoft Anti-Malware\a2service.exe[4836] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\nvvsvc.exe[4924] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\nvvsvc.exe[4924] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\nvvsvc.exe[4924] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
          .text C:\Windows\system32\nvvsvc.exe[4924] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\nvvsvc.exe[4924] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\nvvsvc.exe[4924] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\nvvsvc.exe[4924] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\nvvsvc.exe[4924] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\nvvsvc.exe[4924] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\nvvsvc.exe[4924] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\nvvsvc.exe[4924] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\nvvsvc.exe[4924] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
          .text C:\Windows\system32\nvvsvc.exe[4924] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Windows\system32\nvvsvc.exe[4924] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Windows\system32\nvvsvc.exe[4924] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Windows\system32\nvvsvc.exe[4924] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
          .text C:\Windows\system32\nvvsvc.exe[4924] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
          .text C:\Windows\system32\nvvsvc.exe[4924] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Windows\system32\svchost.exe[4952] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\svchost.exe[4952] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\svchost.exe[4952] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [77, 71] {JA 0x73}
          .text C:\Windows\system32\svchost.exe[4952] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\svchost.exe[4952] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\svchost.exe[4952] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\svchost.exe[4952] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\svchost.exe[4952] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\svchost.exe[4952] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\svchost.exe[4952] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\svchost.exe[4952] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\svchost.exe[4952] RPCRT4.dll!RpcServerRegisterIfEx 75907A2C 6 Bytes JMP 7190000A
          .text C:\Windows\system32\svchost.exe[4952] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7181000A
          .text C:\Windows\system32\svchost.exe[4952] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717E000A
          .text C:\Windows\system32\svchost.exe[4952] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717B000A
          .text C:\Windows\system32\svchost.exe[4952] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7184000A
          .text C:\Windows\system32\svchost.exe[4952] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718A000A
          .text C:\Windows\system32\svchost.exe[4952] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718D000A
          .text C:\Windows\system32\svchost.exe[4952] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7187000A
          .text C:\Windows\system32\svchost.exe[4952] rpcss.dll!WhichService 73F73F84 8 Bytes [20, 39, 01, 10, E0, 36, 01, ...] {AND [ECX], BH; ADD [EAX], EDX; LOOPNZ 0x3c; ADD [EAX], EDX}
          .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[5012] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 00F632F0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
          .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[5012] ntdll.dll!NtCreateFile 77164264 5 Bytes JMP 00FAA0F0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
          .text C:\Windows\system32\svchost.exe[5076] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\system32\svchost.exe[5076] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\svchost.exe[5076] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
          .text C:\Windows\system32\svchost.exe[5076] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\system32\svchost.exe[5076] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\system32\svchost.exe[5076] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\system32\svchost.exe[5076] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\system32\svchost.exe[5076] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\system32\svchost.exe[5076] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\system32\svchost.exe[5076] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\system32\svchost.exe[5076] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\system32\svchost.exe[5076] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
          .text C:\Windows\system32\svchost.exe[5076] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
          .text C:\Windows\system32\svchost.exe[5076] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Windows\system32\svchost.exe[5076] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
          .text C:\Windows\system32\svchost.exe[5076] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Windows\system32\svchost.exe[5076] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Windows\system32\svchost.exe[5076] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Windows\System32\svchost.exe[5152] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\System32\svchost.exe[5152] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
          .text C:\Windows\System32\svchost.exe[5152] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
          .text C:\Windows\System32\svchost.exe[5152] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
          .text C:\Windows\System32\svchost.exe[5152] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
          .text C:\Windows\System32\svchost.exe[5152] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
          .text C:\Windows\System32\svchost.exe[5152] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
          .text C:\Windows\System32\svchost.exe[5152] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
          .text C:\Windows\System32\svchost.exe[5152] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
          .text C:\Windows\System32\svchost.exe[5152] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
          .text C:\Windows\System32\svchost.exe[5152] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
          .text C:\Windows\System32\svchost.exe[5152] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
          .text C:\Windows\System32\svchost.exe[5152] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
          .text C:\Windows\System32\svchost.exe[5152] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
          .text C:\Windows\System32\svchost.exe[5152] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
          .text C:\Windows\System32\svchost.exe[5152] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
          .text C:\Windows\System32\svchost.exe[5152] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
          .text C:\Windows\System32\svchost.exe[5152] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
          .text C:\Windows\System32\svchost.exe[5200] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
          .text C:\Windows\System32\svchost.exe[5200] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]

          Comment


          • #6
            .text C:\Windows\System32\svchost.exe[5200] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\System32\svchost.exe[5200] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\System32\svchost.exe[5200] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\System32\svchost.exe[5200] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\System32\svchost.exe[5200] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\System32\svchost.exe[5200] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\System32\svchost.exe[5200] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\System32\svchost.exe[5200] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\System32\svchost.exe[5200] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\System32\svchost.exe[5200] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Windows\System32\svchost.exe[5200] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Windows\System32\svchost.exe[5200] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\System32\svchost.exe[5200] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Windows\System32\svchost.exe[5200] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Windows\System32\svchost.exe[5200] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Windows\System32\svchost.exe[5200] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Windows\system32\svchost.exe[5216] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\system32\svchost.exe[5216] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5216] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [77, 71] {JA 0x73}
            .text C:\Windows\system32\svchost.exe[5216] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5216] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\svchost.exe[5216] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\system32\svchost.exe[5216] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\system32\svchost.exe[5216] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\svchost.exe[5216] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\system32\svchost.exe[5216] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\system32\svchost.exe[5216] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\system32\svchost.exe[5216] RPCRT4.dll!RpcServerRegisterIfEx 75907A2C 6 Bytes JMP 7190000A
            .text C:\Windows\system32\svchost.exe[5216] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7181000A
            .text C:\Windows\system32\svchost.exe[5216] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717E000A
            .text C:\Windows\system32\svchost.exe[5216] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717B000A
            .text C:\Windows\system32\svchost.exe[5216] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7184000A
            .text C:\Windows\system32\svchost.exe[5216] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718A000A
            .text C:\Windows\system32\svchost.exe[5216] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718D000A
            .text C:\Windows\system32\svchost.exe[5216] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7187000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [78, 71] {JS 0x73}
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtMapViewOfSection 771649B4 5 Bytes JMP 63324BFA C:\Windows\AppPatch\EMET.DLL
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!NtUnmapViewOfSection 77165464 5 Bytes JMP 63324BD2 C:\Windows\AppPatch\EMET.DLL
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ntdll.dll!LdrHotPatchRoutine 7718D166 7 Bytes JMP 37150500
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateProcessW 759C1BF3 10 Bytes JMP 37151000
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateProcessA 759C1C28 7 Bytes JMP 37150F00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!WriteProcessMemory 759C1CB8 10 Bytes JMP 37151400
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!VirtualProtect 759C1DC3 8 Bytes JMP 37150600
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateFileMappingW 759E1170 8 Bytes JMP 37151900
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateFileMappingA 759E2346 8 Bytes JMP 37151800
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateProcessInternalW 759E5467 10 Bytes JMP 37151200
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateProcessInternalA 759E8C15 10 Bytes JMP 37151100
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!LoadLibraryExW 759E926C 7 Bytes JMP 37150B00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!LoadLibraryW 759E93F0 7 Bytes JMP 37150900
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!LoadLibraryExA 759E9544 8 Bytes JMP 37150A00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!LoadLibraryA 759E956C 9 Bytes JMP 37150800
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!HeapCreate 759E9D9B 8 Bytes JMP 37150E00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!VirtualProtectEx 759EDC3A 12 Bytes JMP 37150700
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!MapViewOfFile 75A06AD0 10 Bytes JMP 37151A00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!MapViewOfFileEx 75A0AA81 10 Bytes JMP 37151B00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!VirtualAllocEx 75A0AEFC 1 Byte [E9]
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!VirtualAllocEx 75A0AEFC 9 Bytes JMP 37150D00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!VirtualAlloc 75A0AF55 8 Bytes JMP 37150C00
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateFileW 75A0B0CB 8 Bytes JMP 37151700
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateRemoteThread 75A0CB35 7 Bytes JMP 37151300
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateRemoteThread + 8 75A0CB3D 2 Bytes [CC, CC] {INT 3 ; INT 3 }
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!CreateFileA 75A0D05F 8 Bytes JMP 37151600
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] kernel32.dll!WinExec 75A5614F 11 Bytes JMP 37151500
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7197000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7191000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7194000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7182000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717F000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717C000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!EnableWindow 766BCD8B 5 Bytes JMP 6C9C9EBC C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!DialogBoxParamW 766E10B0 5 Bytes JMP 6C92189B C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!DialogBoxIndirectParamW 766E2EF5 5 Bytes JMP 6CB19179 C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!DialogBoxParamA 766F8152 5 Bytes JMP 6CB19114 C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!DialogBoxIndirectParamA 766F847D 5 Bytes JMP 6CB191DE C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!MessageBoxIndirectA 7670D4D9 5 Bytes JMP 6CB1909B C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!MessageBoxIndirectW 7670D5D3 5 Bytes JMP 6CB19022 C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!MessageBoxExA 7670D639 5 Bytes JMP 6CB18FBE C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] USER32.dll!MessageBoxExW 7670D65D 5 Bytes JMP 6CB18F57 C:\Windows\system32\IEFRAME.dll
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7185000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718B000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718E000A
            .text C:\Program Files\Internet Explorer\iexplore.exe[5268] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7188000A
            .text C:\Windows\system32\AUDIODG.EXE[5292] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A7001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\AUDIODG.EXE[5292] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\system32\AUDIODG.EXE[5292] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\AUDIODG.EXE[5292] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\AUDIODG.EXE[5292] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719E001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719B001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\AUDIODG.EXE[5292] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7198001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7192001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7195001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7186001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718C001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718F001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7189001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7183001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7180001E
            .text C:\Windows\system32\AUDIODG.EXE[5292] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717D001E
            .text C:\Windows\system32\svchost.exe[5316] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\system32\svchost.exe[5316] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5316] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\system32\svchost.exe[5316] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5316] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\svchost.exe[5316] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\system32\svchost.exe[5316] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\system32\svchost.exe[5316] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\svchost.exe[5316] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\system32\svchost.exe[5316] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\system32\svchost.exe[5316] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\system32\svchost.exe[5316] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Windows\system32\svchost.exe[5316] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Windows\system32\svchost.exe[5316] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\system32\svchost.exe[5316] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Windows\system32\svchost.exe[5316] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Windows\system32\svchost.exe[5316] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Windows\system32\svchost.exe[5316] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\system32\svchost.exe[5324] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\system32\svchost.exe[5324] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\system32\svchost.exe[5324] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\system32\svchost.exe[5324] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\svchost.exe[5324] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\system32\svchost.exe[5324] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\system32\svchost.exe[5324] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\system32\svchost.exe[5324] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Windows\system32\svchost.exe[5324] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Windows\system32\svchost.exe[5324] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\system32\svchost.exe[5324] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Windows\system32\svchost.exe[5324] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Windows\system32\svchost.exe[5324] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Windows\system32\svchost.exe[5324] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5432] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\system32\nvvsvc.exe[5448] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\system32\nvvsvc.exe[5448] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\nvvsvc.exe[5448] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\system32\nvvsvc.exe[5448] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\nvvsvc.exe[5448] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\nvvsvc.exe[5448] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\system32\nvvsvc.exe[5448] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\system32\nvvsvc.exe[5448] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\nvvsvc.exe[5448] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\system32\nvvsvc.exe[5448] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\system32\nvvsvc.exe[5448] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\system32\nvvsvc.exe[5448] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Windows\system32\nvvsvc.exe[5448] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Windows\system32\nvvsvc.exe[5448] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Windows\system32\nvvsvc.exe[5448] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Windows\system32\nvvsvc.exe[5448] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Windows\system32\nvvsvc.exe[5448] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Windows\system32\nvvsvc.exe[5448] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\system32\svchost.exe[5472] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\system32\svchost.exe[5472] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5472] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\system32\svchost.exe[5472] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[5472] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\svchost.exe[5472] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\system32\svchost.exe[5472] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\system32\svchost.exe[5472] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\svchost.exe[5472] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\system32\svchost.exe[5472] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\system32\svchost.exe[5472] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\system32\svchost.exe[5472] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Windows\system32\svchost.exe[5472] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Windows\system32\svchost.exe[5472] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\system32\svchost.exe[5472] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Windows\system32\svchost.exe[5472] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Windows\system32\svchost.exe[5472] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Windows\system32\svchost.exe[5472] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Program Files\HitmanPro.Alert\hmpalert.exe[5600] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [7A, 71] {JP 0x73}
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\System32\spoolsv.exe[5980] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\System32\spoolsv.exe[5980] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\System32\spoolsv.exe[5980] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\System32\spoolsv.exe[5980] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\System32\spoolsv.exe[5980] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\System32\spoolsv.exe[5980] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\System32\spoolsv.exe[5980] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\System32\spoolsv.exe[5980] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7184000A
            .text C:\Windows\System32\spoolsv.exe[5980] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 7181000A
            .text C:\Windows\System32\spoolsv.exe[5980] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717E000A
            .text C:\Windows\System32\spoolsv.exe[5980] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7187000A
            .text C:\Windows\System32\spoolsv.exe[5980] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718D000A
            .text C:\Windows\System32\spoolsv.exe[5980] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 7190000A
            .text C:\Windows\System32\spoolsv.exe[5980] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 718A000A
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!LdrUnloadDll 7713B680 6 Bytes JMP 71A8000A
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtAllocateVirtualMemory 77163FC4 5 Bytes JMP 7261F6F0 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtAlpcSendWaitReceivePort 77164104 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtAlpcSendWaitReceivePort + 4 77164108 2 Bytes [77, 71] {JA 0x73}
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtClose 771641A4 3 Bytes [FF, 25, 1E]
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtClose + 4 771641A8 2 Bytes [AE, 71]
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtFreeVirtualMemory 771647D4 5 Bytes JMP 7261F830 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\system32\svchost.exe[6024] ntdll.dll!NtProtectVirtualMemory 77164BC4 5 Bytes JMP 7261F750 C:\WINDOWS\system32\hmpalert.dll
            .text C:\Windows\system32\svchost.exe[6024] kernel32.dll!CreateProcessW 759C1BF3 6 Bytes JMP 719F000A
            .text C:\Windows\system32\svchost.exe[6024] kernel32.dll!CreateProcessA 759C1C28 6 Bytes JMP 719C000A
            .text C:\Windows\system32\svchost.exe[6024] kernel32.dll!LoadLibraryExW + 173 759E93DF 4 Bytes JMP 71AC000A
            .text C:\Windows\system32\svchost.exe[6024] ADVAPI32.dll!CreateProcessAsUserA 757CCEB9 6 Bytes JMP 7199000A
            .text C:\Windows\system32\svchost.exe[6024] ADVAPI32.dll!CreateProcessAsUserW 757E1EE9 6 Bytes JMP 7193000A
            .text C:\Windows\system32\svchost.exe[6024] ADVAPI32.dll!CreateProcessWithLogonW 758280C1 6 Bytes JMP 7196000A
            .text C:\Windows\system32\svchost.exe[6024] RPCRT4.dll!RpcServerRegisterIfEx 75907A2C 6 Bytes JMP 7190000A
            .text C:\Windows\system32\svchost.exe[6024] USER32.dll!SetWindowsHookExA 766B6322 6 Bytes JMP 7181000A
            .text C:\Windows\system32\svchost.exe[6024] USER32.dll!SetWindowsHookExW 766B87AD 6 Bytes JMP 717E000A
            .text C:\Windows\system32\svchost.exe[6024] USER32.dll!SetWinEventHook 766B9F3A 6 Bytes JMP 717B000A
            .text C:\Windows\system32\svchost.exe[6024] GDI32.dll!DeleteDC 766668CD 6 Bytes JMP 7184000A
            .text C:\Windows\system32\svchost.exe[6024] GDI32.dll!CreateDCW 7666A91D 6 Bytes JMP 718A000A
            .text C:\Windows\system32\svchost.exe[6024] GDI32.dll!CreateDCA 7666AA49 6 Bytes JMP 718D000A
            .text C:\Windows\system32\svchost.exe[6024] GDI32.dll!GetPixel 7666BE90 6 Bytes JMP 7187000A

            ---- User IAT/EAT - GMER 2.1 ----

            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B37817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B7B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B3BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B2F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B2E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73B673F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73B3DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B2FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B2FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73BBCB00] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73B5C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B2D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B26853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B2687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll
            IAT C:\Windows\Explorer.EXE[3652] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B32AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a 4\gdiplus.dll

            ---- Disk sectors - GMER 2.1 ----

            Disk \Device\Harddisk0\DR0

            Comment


            • #7
              Download Zoek.zip naar het bureaublad.
              1. Wanneer Internet Explorer of een andere browser of virusscanner melding geeft dat dit bestand onveilig zou zijn kun je negeren, dit is namelijk een onterechte waarschuwing.
              2. Schakel je antivirus- en antispywareprogramma's uit, mogelijk kunnen ze conflicteren met zoek.exe (hier en hier) kan je lezen hoe je dat doet.

              • Klik met de rechtermuisknop op Zoek.zip en klik op de optie "Alles uitpakken".
              • Dubbelklik vervolgens op Zoek.exe om de tool te starten.
              • Windows Vista, 7 en 8 gebruikers dienen de tool als "administrator" uit te voeren door middel van de rechtermuisknop en kiezen voor Als Administrator uitvoeren.
              • Kopieer nu onderstaande code en plak die in het grote invulvenster:
              • Note: Dit script is speciaal bedoeld voor deze PC, gebruik dit dan ook niet op andere PC's met een gelijkaardig probleem.
                Code:
                chromelook;
                firefoxlook;
                filesrcm;
                autoclean; 
                iedefaults; 
                nudr.dat;z 
                [HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers];e
                torpigcheck;
              • Klik nu op de knop "Run script".
              • Wacht nu geduldig af tot er een logje opent (dit kan na een herstart zijn als deze benodigd is).
              • Mocht na de herstart geen logje verschijnen, start zoek.exe dan opnieuw, de log verschijnt dan alsnog.
              • Post het geopende logje in het volgende bericht als bijlage.

              Windows 10 opstarten in Veilige Modus

              Comment


              • #8
                Zoek.exe Version 4.0.0.4 Updated 07-October-2013
                Tool run by Ingrid on ma 07-10-2013 at 21:13:19,74.
                Microsoft® Windows Vista™ Home Basic 6.0.6002 Service Pack 2 x86
                Running in: Normal Mode Internet Access Detected
                Launched: C:\Users\Ingrid\Desktop\zoek\zoek.exe [Script inserted]

                ==== System Restore Info ======================

                7-10-2013 21:16:18 Zoek.exe System Restore Point Created Succesfully.

                ==== Torpig Check ======================

                HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\FileSystem {217FC9C0-3AEA-1069-A2DB-08002B30309D} unknown path
                HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\Sharing {40dd6e20-7c17-11ce-a804-00aa003ca9f6} unknown path


                ==== Deleting CLSID Registry Keys ======================

                HKEY_USERS\S-1-5-21-2793848604-3341979812-2886411711-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24D817B5-FCA3-49F0-B010-F12FD9909A2D} deleted successfully
                HKEY_USERS\S-1-5-21-2793848604-3341979812-2886411711-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DDFC8F1E-00B7-4FCF-AA26-9A84D4C9DAA5} deleted successfully
                HKEY_USERS\S-1-5-21-2793848604-3341979812-2886411711-1000\Software\Microsoft\Internet Explorer\SearchScopes\{EE7EA1A8-FA23-43D2-B19A-837487D848A3} deleted successfully

                ==== Deleting CLSID Registry Values ======================


                ==== Deleting Services ======================


                ==== Deleting Files \ Folders ======================

                "C:\search.sqlite" deleted
                "C:\prefs.js" deleted
                "C:\Users\Ingrid\AppData\Roaming\Ditto" deleted
                "C:\Users\Ingrid\AppData\Roaming\Webroot" deleted
                "C:\Windows\system32\appdata" deleted
                "C:\Windows\system32\config\systemprofile\AppData\LocalLow\Application Updater" deleted

                ==== Folders Found ======================


                ==== Files Found ======================


                ==== Registry Exports ======================

                [HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers]

                [HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\FileSystem]
                @="{217FC9C0-3AEA-1069-A2DB-08002B30309D}"

                [HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers\Sharing]
                @="{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"


                ==== Files Recently Created / Modified ======================

                ====== C:\Windows ====
                ====== C:\Users\Ingrid\AppData\Local\Temp ====
                ====== Java Cache =====
                ====== C:\Windows\system32 =====
                ====== C:\Windows\system32\drivers =====
                2013-09-25 03:33:10 396E27AB3A1162AFDCD3DC535155B202 2516 ----a-w- C:\Windows\System32\drivers\fvstore.dat
                2013-09-19 12:37:19 28FD18F05C1D8BBB03D54581F4DA21DB 1474832 ----a-w- C:\Windows\System32\drivers\sfi.dat
                ====== C:\Windows\Tasks ======
                2013-09-19 12:41:19 -------- d-----w- C:\Windows\system32\Tasks\COMODO
                ====== C:\Windows\Temp ======
                ======= C:\Program Files =====
                2013-09-19 12:24:52 -------- d-----w- C:\Program Files\Comodo
                2013-09-12 09:31:33 -------- d-----w- C:\Program Files\Common Files\Java
                2013-09-11 15:38:02 -------- d-----w- C:\Program Files\Common Files\Java(0)
                ======= C: =====
                ====== C:\Users\Ingrid\AppData\Roaming ======
                2013-09-19 12:31:47 -------- d-----w- C:\Windows\system32\config\systemprofile\AppData\Local\Comodo
                2013-09-19 12:27:17 -------- d-----w- C:\Windows\system32\config\systemprofile\AppData\Locallow\COMODO
                2013-09-19 12:25:25 -------- d-----w- C:\Users\Ingrid\AppData\Local\Comodo
                2013-09-19 12:25:13 -------- d-----w- C:\Users\Ingrid\AppData\Locallow\COMODO
                ====== C:\Users\Ingrid ======
                2013-10-07 14:06:41 60BF4AE8CC40B0E3E28613657ED2EED8 377856 ----a-w- C:\Users\Ingrid\Desktop\zp1vdp66.exe
                2013-10-07 13:43:36 8B968045D75783A09592C3105F2865DA 688992 ------r- C:\Users\Ingrid\Desktop\dds.com
                2013-10-07 13:19:47 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\Users\Ingrid\defogger_reenable
                2013-10-07 13:18:47 9146F21288AB749C4C729343F5F285A1 50477 ----a-w- C:\Users\Ingrid\Desktop\Defogger.exe
                2013-10-05 04:12:15 -------- d-s---w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice 4.0.1
                2013-09-19 12:31:44 -------- d-s---w- C:\ProgramData\Shared Space
                2013-09-19 12:27:11 -------- d-----w- C:\ProgramData\COMODO
                2013-09-19 12:25:33 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
                2013-09-19 12:24:39 -------- d-----w- C:\ProgramData\Comodo Downloader
                2013-09-12 09:12:29 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
                2013-09-11 15:38:09 -------- d-----w- C:\ProgramData\Oracle

                ====== C: exe-files ==
                2013-10-07 14:06:41 60BF4AE8CC40B0E3E28613657ED2EED8 377856 ----a-w- C:\Users\Ingrid\Desktop\zp1vdp66.exe
                2013-10-07 13:18:47 9146F21288AB749C4C729343F5F285A1 50477 ----a-w- C:\Users\Ingrid\Desktop\Defogger.exe
                2013-10-02 14:10:18 E697AF226694FCAA74E94E790E8FA3EE 469072 ----a-w- C:\Users\Ingrid\AppData\Roaming\Real\Update\temp\~Upg6\rnupgagent.exe
                === C: other files ==
                2013-10-07 13:43:36 8B968045D75783A09592C3105F2865DA 688992 ------r- C:\Users\Ingrid\Desktop\dds.com

                ==== Folders in C:\ProgramData 0-6 Months Old ======================

                2013-06-11 07:20:19 -------- d-sh--w- C:\ProgramData\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
                2013-07-31 05:54:17 -------- d-----w- C:\ProgramData\WindowsSearch
                2013-07-31 08:49:35 -------- d---a-w- C:\ProgramData\TEMP
                2013-08-09 09:48:37 -------- d-----w- C:\ProgramData\Mozilla
                2013-08-16 11:40:22 -------- d-----w- C:\ProgramData\QFX Software
                2013-09-11 15:38:09 -------- d-----w- C:\ProgramData\Oracle
                2013-09-19 12:24:39 -------- d-----w- C:\ProgramData\Comodo Downloader
                2013-09-19 12:27:11 -------- d-----w- C:\ProgramData\COMODO
                2013-09-19 12:31:44 -------- d-s---w- C:\ProgramData\Shared Space
                2013-10-07 09:34:58 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)

                ==== Chrome Look ======================

                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
                aacbndibbcpajfgnkdkaakeiojmmgmnk - No path found
                hbcennhacfaagdopikcegfcobcadeocj - No path found
                icdlfehblmklkikfigmjhbmmpmkmpooj - No path found
                idhngdhcfkoamngbedgpaokgjbnpdiji - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx[06-03-2013 03:26]
                jpihmmhdcobmllpcnpfbhnipmhamldje - No path found
                mhkaekfpcppmmioggniknbnbdbcigpkk - No path found
                nfengeggddojhakldhlpjdlddgkkjkdd - C:\Program Files\IObit\Advanced SystemCare 6\BrowerProtect\ASC_GhromePluginFor6.crx[22-04-2013 19:02]
                pfndaklgolladniicklehhancnlgocpp - No path found

                ==== Set IE to Default ======================

                Old Values:
                [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
                "Start Page"="http://www.nu.nl/"
                [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
                "Start Page"="http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=71&bd=Presario&pf=desktop"
                [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
                "DefaultScope"="{DDFC8F1E-00B7-4FCF-AA26-9A84D4C9DAA5}"
                [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DDFC8F1E-00B7-4FCF-AA26-9A84D4C9DAA5}] not found

                New Values:
                [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
                "Start Page"="http://www.nu.nl/"
                [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
                "Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
                [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
                "DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"

                ==== All HKCU SearchScopes ======================

                HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
                {05E5AB91-99D9-46D8-B74A-C0C942449E9D} Startpage HTTPS - Nederlands Url="https://startpage.com/do/metasearch.pl?query={searchTerms}&cat=web&pl=ie&language=nederlands"
                {0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
                {6A1806CD-94D4-4689-BA73-E35EA1EA9990} Google Url="http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startInde x={startIndex?}&startPage={startPage}"
                {D8761509-D5AF-4351-9DF2-98E109559E2E} Ixquick - Nederlands Url="http://ixquick.com/do/metasearch.pl?query={searchTerms}&cat=web&pl=ie&language=nederlands"

                ==== Deleting Registry Keys ======================

                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\aacbndibbcpajfgnkdkaakeiojmmgmnk deleted successfully
                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\hbcennhacfaagdopikcegfcobcadeocj deleted successfully
                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\icdlfehblmklkikfigmjhbmmpmkmpooj deleted successfully
                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\jpihmmhdcobmllpcnpfbhnipmhamldje deleted successfully
                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk deleted successfully
                HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\pfndaklgolladniicklehhancnlgocpp deleted successfully
                HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AshSnap deleted successfully
                HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Doctor deleted successfully
                HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EMET Notifier deleted successfully

                ==== Empty IE Cache ======================

                C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                C:\Users\Ingrid\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(28)\Content.IE5 emptied successfully
                C:\Users\Ingrid\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(690)\Content.IE5 emptied successfully
                C:\Users\Ingrid\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low(8)\Content.IE5 emptied successfully
                C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
                C:\Users\Ingrid\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
                C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
                C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

                ==== Empty FireFox Cache ======================

                No FireFox Profiles found

                ==== Empty Chrome Cache ======================

                No Chrome User Data found

                ==== Empty All Flash Cache ======================

                Flash Cache Emptied Successfully

                ==== Empty All Java Cache ======================

                Java Cache cleared successfully

                ==== After Reboot ======================

                ==== Empty Temp Folders ======================

                C:\Windows\Temp successfully emptied
                C:\Users\Ingrid\AppData\Local\Temp successfully emptied

                ==== Empty Recycle Bin ======================

                C:\$RECYCLE.BIN successfully emptied

                ==== Deleting Files / Folders ======================

                "C:\Users\Ingrid\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
                "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
                "C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted

                ==== EOF on ma 07-10-2013 at 22:11:08,30 ======================

                Comment


                • #9
                  Ik vermoed dat het nu wel beter zal gaan?

                  Windows 10 opstarten in Veilige Modus

                  Comment


                  • #10
                    Hi,

                    Nee, nog niet echt. Nog steeds met grote regelmaat 'reageert niet'.
                    En bij filmpjes van youtube is het geluid verdwenen (verder overal prima geluid, ook weer zo gek)

                    Maar alle sporen van die malware zijn nu wel verdwenen?

                    Comment


                    • #11
                      Download ComboFix van één van de onderstaande locaties naar het bureaublad.
                      Bleeping Computer
                      Info Spyware

                      Schakel je antivirus- en antispywareprogramma's uit, mogelijk kunnen ze conflicteren met ComboFix.exe
                      (hier of hier) kan je lezen hoe je de gebruikte beveiligingssoftware kunt uitschakelen.[list][*] Dubbelklik op "ComboFix" om de tool te starten, Windows Vista, 7 & 8 gebruikers zullen een melding krijgen van UAC (Gebruikersaccountbeheer), klik hier op Ja / yes.[*] Op een Windows XP computer zal ComboFix de "Recovery Console" installeren als deze nog niet aanwezig is. (Een actieve internet verbinding is dan een vereiste).[*] Klik in het venster bij het 'Installeren van de Recovery Console' op "Ok".

                      Windows 10 opstarten in Veilige Modus

                      Comment


                      • #12
                        Hier de log van ComboFix:

                        ComboFix 13-10-08.01 - Ingrid 08-10-2013 15:45:40.2.2 - x86
                        Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.31.1043.18.894.193 [GMT 2:00]
                        Gestart vanuit: c:\users\Ingrid\Desktop\ComboFix.exe
                        AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
                        SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
                        SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
                        .
                        .
                        (((((((((((((((((((( Bestanden Gemaakt van 2013-09-08 to 2013-10-08 ))))))))))))))))))))))))))))))
                        .
                        .
                        2013-10-08 14:41 . 2013-10-08 14:41 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
                        2013-10-08 14:41 . 2013-10-08 14:41 -------- d-----w- c:\users\Default\AppData\Local\temp
                        2013-10-07 09:34 . 2013-10-07 10:11 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
                        2013-10-06 04:21 . 2013-10-07 07:23 -------- d-----w- C:\AdwCleaner
                        2013-09-25 03:33 . 2013-09-25 03:48 2516 ----a-w- c:\windows\system32\drivers\fvstore.dat
                        2013-09-19 13:17 . 2013-09-19 13:17 -------- d-----w- C:\VTRoot
                        2013-09-19 12:37 . 2013-10-08 14:39 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
                        2013-09-19 12:31 . 2013-09-19 12:32 -------- d-s---w- c:\programdata\Shared Space
                        2013-09-19 12:29 . 2013-09-19 12:29 1700352 ----a-w- c:\windows\system32\gdiplus.dll
                        2013-09-19 12:27 . 2013-09-19 12:40 -------- d-----w- c:\programdata\COMODO
                        2013-09-19 12:25 . 2013-09-19 12:25 -------- d-----w- c:\users\Ingrid\AppData\Local\Comodo
                        2013-09-19 12:25 . 2013-09-19 12:25 47368 ----a-w- c:\windows\system32\certsentry.dll
                        2013-09-19 12:24 . 2013-09-19 13:37 -------- d-----w- c:\program files\Comodo
                        2013-09-19 12:24 . 2013-09-19 12:24 -------- d-----w- c:\programdata\Comodo Downloader
                        2013-09-17 16:01 . 2013-09-05 05:02 7328304 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E93E8D26-323C-48B4-861F-20660719967C}\mpengine.dll
                        2013-09-13 03:02 . 2013-07-16 04:35 615936 ----a-w- c:\windows\system32\themeui.dll
                        2013-09-13 03:02 . 2013-08-08 01:45 2049536 ----a-w- c:\windows\system32\win32k.sys
                        2013-09-12 09:31 . 2013-09-12 09:31 -------- d-----w- c:\program files\Common Files\Java
                        2013-09-12 09:11 . 2013-09-12 09:12 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
                        2013-09-11 15:38 . 2013-09-12 09:31 -------- d-----w- c:\programdata\Oracle
                        .
                        .
                        .
                        ((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
                        .
                        2013-09-24 10:54 . 2013-06-18 14:16 85464 ----a-w- c:\windows\system32\drivers\inspect.sys
                        2013-09-24 10:54 . 2013-06-18 14:15 43728 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
                        2013-09-24 10:54 . 2013-07-08 19:59 584496 ----a-w- c:\windows\system32\drivers\cmdguard.sys
                        2013-09-24 10:54 . 2013-06-18 14:15 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
                        2013-09-24 10:53 . 2013-06-18 14:15 36000 ----a-w- c:\windows\system32\cmdcsr.dll
                        2013-09-24 10:53 . 2013-06-18 14:15 354240 ----a-w- c:\windows\system32\guard32.dll
                        2013-09-24 10:53 . 2013-06-18 14:15 280792 ----a-w- c:\windows\system32\cmdvrt32.dll
                        2013-09-24 10:53 . 2013-06-18 14:15 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
                        2013-09-19 16:35 . 2012-03-28 15:14 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
                        2013-09-19 16:35 . 2011-05-14 07:40 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
                        2013-09-12 09:12 . 2012-05-05 09:15 868264 ----a-w- c:\windows\system32\npdeployJava1.dll
                        2013-09-12 09:12 . 2010-04-15 17:07 790440 ----a-w- c:\windows\system32\deployJava1.dll
                        2013-08-07 19:47 . 2013-07-06 05:03 564312 ----a-w- c:\windows\system32\hmpalert.dll
                        2013-08-07 19:47 . 2013-07-06 05:03 14376 ----a-w- c:\windows\system32\drivers\hmpalert.sys
                        2013-08-07 02:22 . 2009-10-01 14:59 238872 ------w- c:\windows\system32\MpSigStub.exe
                        2013-08-02 04:09 . 2013-08-27 22:23 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
                        2013-07-17 19:41 . 2013-08-14 06:17 2048 ----a-w- c:\windows\system32\tzres.dll
                        .
                        .
                        ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
                        .
                        .
                        *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
                        REGEDIT4
                        .
                        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                        "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-21 39408]
                        .
                        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
                        "EMET Agent"="c:\program files\EMET 4.0\EMET_agent.exe" [2013-06-14 78496]
                        "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-09-24 1576152]
                        "TkBellExe"="c:\program files\Real\realplayer\update\realsched.exe" [2013-03-29 295512]
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
                        "EnableUIADesktopToggle"= 0 (0x0)
                        .
                        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
                        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
                        "aux"=wdmaud.drv
                        .
                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
                        @=""
                        .
                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
                        @=""
                        .
                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
                        @=""
                        .
                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
                        @=""
                        .
                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
                        @=""
                        .
                        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
                        @="Service"
                        .
                        [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
                        backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
                        backupExtension=.CommonStartup
                        .
                        [HKLM\~\startupfolder\C:^Users^Ingrid^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
                        backup=c:\windows\pss\Adobe Gamma.lnk.Startup
                        backupExtension=.Startup
                        .
                        [HKLM\~\startupfolder\C:^Users^Ingrid^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3 .lnk]
                        backup=c:\windows\pss\OpenOffice.org 3.3 .lnk.Startup
                        backupExtension=.Startup
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
                        2013-10-01 10:57 4329408 ----a-w- c:\program files\Emsisoft Anti-Malware\a2guard.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 6]
                        2013-04-18 18:38 491840 ----a-w- c:\program files\IObit\Advanced SystemCare 6\ASCTray.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
                        2010-09-08 19:30 472432 ----a-w- c:\program files\DellTPad\Apoint.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
                        2006-09-28 13:42 65536 ----a-w- c:\hp\support\hpsysdrv.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
                        2005-02-16 16:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
                        2013-04-04 12:50 532040 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDVCPL]
                        2012-09-28 14:14 11672208 ----a-w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
                        2013-07-02 07:16 254336 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
                        2013-08-16 04:29 5703920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
                        2011-01-21 13:27 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
                        2013-03-29 04:45 295512 ----a-w- c:\program files\Real\realplayer\Update\realsched.exe
                        .
                        [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
                        "SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
                        "ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.EXE -startup
                        "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
                        "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
                        "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
                        "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
                        "DPService"="c:\program files\HP\DVDPlay\DPService.exe"
                        "PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe"
                        "TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" -osboot
                        .
                        R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2013-09-01 57944]
                        S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2013-03-28 22056]
                        S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-07-11 116608]
                        S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2013-10-01 4153784]
                        S2 AdvancedSystemCareService6;Advanced SystemCare Service 6;c:\program files\IObit\Advanced SystemCare 6\ASCService.exe [2013-04-18 574272]
                        .
                        .
                        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
                        LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
                        LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
                        bdx REG_MULTI_SZ scan sysagent
                        .
                        Inhoud van de 'Gedeelde Taken' map
                        .
                        2013-10-08 c:\windows\Tasks\Adobe Flash Player Updater.job
                        - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 16:35]
                        .
                        2013-07-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
                        - c:\program files\Google\Update\GoogleUpdate.exe [2008-12-11 02:08]
                        .
                        .
                        ------- Bijkomende Scan -------
                        .
                        uStart Page = hxxp://www.nu.nl/
                        IE: Google Sidewiki...
                        TCP: DhcpNameServer = 192.168.1.254
                        .
                        - - - - ORPHANS VERWIJDERD - - - -
                        .
                        SafeBoot-CleanHlp
                        SafeBoot-CleanHlp.sys
                        SafeBoot-WudfPf
                        SafeBoot-WudfRd
                        .
                        .
                        .
                        **************************************************************************
                        .
                        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                        Rootkit scan 2013-10-08 16:44
                        Windows 6.0.6002 Service Pack 2 NTFS
                        .
                        detected NTDLL code modification:
                        ZwClose
                        .
                        scannen van verborgen processen ...
                        .
                        scannen van verborgen autostart items ...
                        .
                        scannen van verborgen bestanden ...
                        .
                        Scan succesvol afgerond
                        verborgen bestanden: 0
                        .
                        **************************************************************************
                        .
                        --------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
                        .
                        [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
                        @Denied: (2) (LocalSystem)
                        "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
                        d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,c4,c3,cd,70,f8,e3,4a,99,69,ec,\
                        "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
                        d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,02,c4,c3,cd,70,f8,e3,4a,99,69,ec,\
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
                        @Denied: (A 2) (Everyone)
                        @="FlashBroker"
                        "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe ,-101"
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
                        "Enabled"=dword:00000001
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
                        @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
                        @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
                        @Denied: (A 2) (Everyone)
                        @="IFlashBroker5"
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
                        @="{00020424-0000-0000-C000-000000000046}"
                        .
                        [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
                        @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
                        "Version"="1.0"
                        .
                        --------------------- DLLs Geladen Onder Lopende Processen ---------------------
                        .
                        - - - - - - - > 'lsass.exe'(5128)
                        c:\windows\system32\guard32.dll
                        .
                        - - - - - - - > 'Explorer.exe'(25676)
                        c:\windows\system32\guard32.dll
                        c:\windows\System32\fwpuclnt.dll
                        .
                        Voltooingstijd: 2013-10-08 17:07:08
                        ComboFix-quarantined-files.txt 2013-10-08 15:06
                        .
                        Pre-Run: 251.203.452.928 bytes beschikbaar
                        Post-Run: 250.586.525.696 bytes beschikbaar
                        .
                        - - End Of File - - 7FA330C7871C2B9CCB641041AFD6B832
                        8913823FF508CCF109DB74B636C301DA

                        Comment


                        • #13
                          Misschien moet je je flashplayer eens opnieuw installeren.

                          Windows 10 opstarten in Veilige Modus

                          Comment


                          • #14
                            Ik heb flashplayer opnieuw geinstalleerd.
                            En het geluid op youtube werkt weer!

                            Comment


                            • #15
                              Heel goed, verder nog problemen?

                              Windows 10 opstarten in Veilige Modus

                              Comment

                              Sorry, you are not authorized to view this page
                              Working...
                              X