GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-12-10 16:43:32 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500320AS rev.SD1A Running: mpmvmu9e.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdapob.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xB82BACC6] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xB82BACE0] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xB82B9E7C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xB82BA1AC] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xB82B9BBC] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xB82BA5DE] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xB82BB87C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xB82BA42E] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xB82B9A3C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xB82B9EB0] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xB82BA032] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xB82B9996] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xB82B9AF6] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xB82B9F76] Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice Code \??\C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [3C, 9A, 2B, B8, B0, 9E, 2B, ...] PAGE ntkrnlpa.exe!IoCreateDevice 80575912 3 Bytes JMP B7E2CFFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGE ntkrnlpa.exe!IoCreateDevice + 4 80575916 1 Byte [37] PAGENPNP NDIS.SYS!NdisRegisterProtocol B7DFD17F 5 Bytes JMP B7E2CE0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisOpenAdapter B7DFD399 5 Bytes JMP B7E2D394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisCloseAdapter B7E07642 5 Bytes JMP B7E2CF18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisDeregisterProtocol B7E07821 5 Bytes JMP B7E2D1B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisReturnPackets B7E0A810 5 Bytes JMP B7E2DC0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisRequest B7E0A97B 5 Bytes JMP B7E2D5AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSend B7E0D986 5 Bytes JMP B7E2E58C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSendPackets B7E0D9A3 5 Bytes JMP B7E2E65E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisTransferData B7E0D9BE 5 Bytes JMP B7E2DD0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoCreateVc B7E14186 5 Bytes JMP B7E2CE76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoDeleteVc B7E15557 5 Bytes JMP B7E2CEE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoSendPackets B7E15AF1 5 Bytes JMP B7E2E376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB69943A0, 0x83C195, 0xE8000020] ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02BC000C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 02BC100C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02BC200C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 02BC300C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 02BC700C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 02BC500C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 02BC600C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 02BC800C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 02BC400C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 02BCA00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[848] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 02BC900C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006B000C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 006B100C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006B200C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 006B300C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 006B700C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 006B500C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 006B600C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 006B800C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 006B400C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 006BA00C .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1392] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 006B900C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006D000C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 006D100C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006D200C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 006D300C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 006D700C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 006D500C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 006D600C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 006D800C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 006D400C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1472] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 006D900C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D3000C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D3100C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D3200C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00D3300C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D3700C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D3500C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D3600C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D3800C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D3400C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D3A00C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2264] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 00D3900C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0063000C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0063100C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0063200C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0063300C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0063700C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0063500C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0063600C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0063800C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0063400C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3632] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0063900C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B5000C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00B5100C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B5200C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00B5300C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00B5700C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00B5500C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00B5600C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00B5800C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00B5400C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00B5A00C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[2200] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 00B5900C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003F000C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003F100C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003F200C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 003F300C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003F700C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003F500C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003F600C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F800C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F400C .text C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe[1196] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003F900C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0096000C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0096100C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0096200C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0096300C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0096700C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0096500C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0096600C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0096800C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0096400C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0096A00C .text C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe[296] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 0096900C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3832] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[5192] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Hamachi\hamachi.exe[596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0115000C .text C:\Program Files\Hamachi\hamachi.exe[596] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0115100C .text C:\Program Files\Hamachi\hamachi.exe[596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0115200C .text C:\Program Files\Hamachi\hamachi.exe[596] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0115300C .text C:\Program Files\Hamachi\hamachi.exe[596] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0115700C .text C:\Program Files\Hamachi\hamachi.exe[596] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0115500C .text C:\Program Files\Hamachi\hamachi.exe[596] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0115600C .text C:\Program Files\Hamachi\hamachi.exe[596] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0115800C .text C:\Program Files\Hamachi\hamachi.exe[596] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0115400C .text C:\Program Files\Hamachi\hamachi.exe[596] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0115A00C .text C:\Program Files\Hamachi\hamachi.exe[596] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 0115900C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0224000C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0224100C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0224200C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0224300C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0224700C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0224500C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0224600C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0224800C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 0224900C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0224400C .text C:\Program Files\Java\jre6\bin\jqs.exe[1432] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0224A00C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 06C3000C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 06C3100C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 06C3200C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 06C3300C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 06C3700C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 06C3500C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 06C3600C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 06C3800C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] USER32.dll!SetWindowsHookExW 7E37820F 3 Bytes JMP 06C3400C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] USER32.dll!SetWindowsHookExW + 4 7E378213 1 Byte [88] .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 06C3A00C .text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[612] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 06C3900C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00ED000C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00ED100C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED200C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00ED300C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 00ED900C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00ED700C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00ED500C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00ED600C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00ED800C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00ED400C .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1524] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00EDA00C .text C:\WINDOWS\RTHDCPL.EXE[1628] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0624000C .text C:\WINDOWS\RTHDCPL.EXE[1628] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0624100C .text C:\WINDOWS\RTHDCPL.EXE[1628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0624200C .text C:\WINDOWS\RTHDCPL.EXE[1628] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0624300C .text C:\WINDOWS\RTHDCPL.EXE[1628] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0624700C .text C:\WINDOWS\RTHDCPL.EXE[1628] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0624500C .text C:\WINDOWS\RTHDCPL.EXE[1628] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0624600C .text C:\WINDOWS\RTHDCPL.EXE[1628] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0624800C .text C:\WINDOWS\RTHDCPL.EXE[1628] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 0624900C .text C:\WINDOWS\RTHDCPL.EXE[1628] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0624400C .text C:\WINDOWS\RTHDCPL.EXE[1628] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0624A00C .text C:\WINDOWS\system32\lsass.exe[1016] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 027F000C .text C:\WINDOWS\system32\lsass.exe[1016] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 027F100C .text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027F200C .text C:\WINDOWS\system32\lsass.exe[1016] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 027F300C .text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 027F700C .text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 027F500C .text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 027F600C .text C:\WINDOWS\system32\lsass.exe[1016] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 027F800C .text C:\WINDOWS\system32\lsass.exe[1016] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 027F400C .text C:\WINDOWS\system32\lsass.exe[1016] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 027FA00C .text C:\WINDOWS\system32\lsass.exe[1016] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 027F900C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0098000C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0098100C .text C:\WINDOWS\system32\nvsvc32.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0098200C .text C:\WINDOWS\system32\nvsvc32.exe[1208] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0098300C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0098700C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0098500C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0098600C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0098800C .text C:\WINDOWS\system32\nvsvc32.exe[1208] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0098400C .text C:\WINDOWS\system32\nvsvc32.exe[1208] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0098A00C .text C:\WINDOWS\system32\nvsvc32.exe[1208] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 0098900C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0095000C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0095100C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0095200C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0095300C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0095400C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0095900C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0095700C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0095500C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0095600C .text C:\WINDOWS\system32\PnkBstrA.exe[1888] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0095800C .text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D1000C .text C:\WINDOWS\system32\winlogon.exe[960] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D1100C .text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D1200C .text C:\WINDOWS\system32\winlogon.exe[960] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 00D1300C .text C:\WINDOWS\system32\winlogon.exe[960] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D1700C .text C:\WINDOWS\system32\winlogon.exe[960] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D1500C .text C:\WINDOWS\system32\winlogon.exe[960] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D1600C .text C:\WINDOWS\system32\winlogon.exe[960] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D1800C .text C:\WINDOWS\system32\winlogon.exe[960] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D1400C .text C:\WINDOWS\system32\winlogon.exe[960] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D1A00C .text C:\WINDOWS\system32\winlogon.exe[960] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 00D1900C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3832] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002E0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[4512] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002E0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[5192] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002E0010 ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x56 0x7C 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC6 0x26 0x44 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2D 0x0A 0xBC 0xBB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x56 0x7C 0xCF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC6 0x26 0x44 0x55 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2D 0x0A 0xBC 0xBB ... Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xF8 0x31 0x0F 0xA9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ... Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\59\Shell@MinPos1024x768(1).x -32000 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\59\Shell@MinPos1024x768(1).y -32000 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\59\Shell@ScrollPos1024x768(1).y 0 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 65536 bytes ---- EOF - GMER 1.0.15 ----