GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-01 17:48:29 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD252HJ rev.1AC01113 Running: kwkimo3w.exe; Driver: C:\DOCUME~1\Kris\USTAWI~1\Temp\ffddafod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwClose [0xB46F8160] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateFile [0xB46F7868] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateKey [0xB46F4320] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcess [0xB46F6E90] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateProcessEx [0xB46F6D9C] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwCreateThread [0xB46F73FC] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteFile [0xB46F8210] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteKey [0xB46F4786] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwDeleteValueKey [0xB46F4846] SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwLoadDriver [0xB81BA01C] SSDT \SystemRoot\system32\drivers\sbhips.sys (Sunbelt Personal Firewall Host Intrusion Prevention Driver/Sunbelt Software, Inc.) ZwMapViewOfSection [0xB81BA168] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenFile [0xB46F7B54] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwOpenKey [0xB46F45CA] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwResumeThread [0xB46F74EC] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetInformationFile [0xB46F7E8C] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwSetValueKey [0xB46F49BC] SSDT \SystemRoot\system32\drivers\SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ZwWriteFile [0xB46F7DE0] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6EC93A0, 0x5FE082, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000301A8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00030090 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00030694 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000302C0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00030234 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00030004 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0003011C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000304F0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0003057C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000303D8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0003034C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00030464 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00030608 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000307AC .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00030720 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00030F54 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00030FE0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00030D24 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00030DB0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00030E3C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe[120] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00030EC8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe[172] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\WINDOWS\system32\nvsvc32.exe[248] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\WINDOWS\system32\nvsvc32.exe[248] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\WINDOWS\system32\nvsvc32.exe[248] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\WINDOWS\system32\nvsvc32.exe[248] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text C:\WINDOWS\system32\nvsvc32.exe[248] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text C:\WINDOWS\system32\nvsvc32.exe[248] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\svchost.exe[328] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\svchost.exe[328] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\svchost.exe[328] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\svchost.exe[328] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\svchost.exe[328] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\svchost.exe[328] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE[472] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\svchost.exe[532] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\svchost.exe[532] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\svchost.exe[532] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\svchost.exe[532] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\svchost.exe[532] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\svchost.exe[532] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00080F54 .text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00080FE0 .text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00080D24 .text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00080DB0 .text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00080E3C .text C:\WINDOWS\system32\svchost.exe[532] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00080EC8 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\spoolsv.exe[748] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\spoolsv.exe[748] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\spoolsv.exe[748] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\spoolsv.exe[748] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\spoolsv.exe[748] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\spoolsv.exe[748] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00070004 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0007011C .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000704F0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0007057C .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000703D8 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0007034C .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070464 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00070608 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000707AC .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00070720 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] WS2_32.dll!socket 71A54211 5 Bytes JMP 000708C4 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] WS2_32.dll!bind 71A54480 5 Bytes JMP 00070838 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[832] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00070950 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01279720 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 014AE21B D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 014AE1F4 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Program Files\Mozilla Firefox\firefox.exe[980] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 014AE17E D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00130F54 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00130FE0 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00130D24 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00130DB0 .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00130E3C .text D:\Program Files\Mozilla Firefox\firefox.exe[980] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00130EC8 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\Explorer.EXE[1020] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\Explorer.EXE[1020] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\Explorer.EXE[1020] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00080F54 .text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00080FE0 .text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00080D24 .text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00080DB0 .text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00080E3C .text C:\WINDOWS\Explorer.EXE[1020] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00080EC8 .text C:\WINDOWS\Explorer.EXE[1020] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\Explorer.EXE[1020] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\Explorer.EXE[1020] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001601A8 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00160090 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00160694 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!CreateProcessW 7C802336 5 Bytes JMP 001602C0 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00160234 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00160004 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0016011C .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001604F0 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!CreateThread 7C8106C7 5 Bytes JMP 0016057C .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001603D8 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0016034C .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!WinExec 7C8623AD 5 Bytes JMP 00160464 .text C:\WINDOWS\system32\csrss.exe[1132] KERNEL32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00160608 .text C:\WINDOWS\system32\csrss.exe[1132] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001607AC .text C:\WINDOWS\system32\csrss.exe[1132] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00160720 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00070004 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0007011C .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000704F0 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0007057C .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000703D8 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0007034C .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070464 .text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00070608 .text C:\WINDOWS\system32\winlogon.exe[1156] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000707AC .text C:\WINDOWS\system32\winlogon.exe[1156] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00070720 .text C:\WINDOWS\system32\winlogon.exe[1156] WS2_32.dll!socket 71A54211 5 Bytes JMP 000708C4 .text C:\WINDOWS\system32\winlogon.exe[1156] WS2_32.dll!bind 71A54480 5 Bytes JMP 00070838 .text C:\WINDOWS\system32\winlogon.exe[1156] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00070950 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\services.exe[1200] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\services.exe[1200] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\services.exe[1200] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\services.exe[1200] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\services.exe[1200] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\lsass.exe[1216] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\lsass.exe[1216] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\lsass.exe[1216] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\lsass.exe[1216] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\lsass.exe[1216] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\lsass.exe[1216] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\svchost.exe[1400] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00130F54 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00130FE0 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00130D24 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00130DB0 .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00130E3C .text D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1408] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00130EC8 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\svchost.exe[1468] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\WINDOWS\RTHDCPL.EXE[1504] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\WINDOWS\RTHDCPL.EXE[1504] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\WINDOWS\RTHDCPL.EXE[1504] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\program files\real\realplayer\update\realsched.exe[1512] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\program files\real\realplayer\update\realsched.exe[1512] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\program files\real\realplayer\update\realsched.exe[1512] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[1524] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00130F54 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00130FE0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00130D24 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00130DB0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00130E3C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1556] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00130EC8 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00130F54 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00130FE0 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00130D24 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00130DB0 .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00130E3C .text D:\Program Files\LogMeIn Hamachi\hamachi-2.exe[1612] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00130EC8 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\RUNDLL32.EXE[1628] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\WINDOWS\system32\PnkBstrA.exe[1644] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text C:\WINDOWS\system32\PnkBstrA.exe[1644] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00130F54 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00130FE0 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00130D24 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00130DB0 .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00130E3C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1660] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00130EC8 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000701A8 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070090 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00070694 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000702C0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070234 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00070004 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0007011C .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000704F0 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0007057C .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000703D8 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0007034C .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070464 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00070608 .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000707AC .text c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1756] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00070720 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\System32\svchost.exe[1896] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\System32\svchost.exe[1896] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\System32\svchost.exe[1896] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\System32\svchost.exe[1896] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\System32\svchost.exe[1896] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\System32\svchost.exe[1896] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00080F54 .text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00080FE0 .text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00080D24 .text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00080DB0 .text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00080E3C .text C:\WINDOWS\System32\svchost.exe[1896] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00080EC8 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Programy\JV\bin\jqs.exe[1952] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Programy\JV\bin\jqs.exe[1952] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text D:\Programy\JV\bin\jqs.exe[1952] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text D:\Programy\JV\bin\jqs.exe[1952] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text D:\Programy\JV\bin\jqs.exe[1952] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Programy\JV\bin\jqs.exe[1952] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 106775F7 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 10677589 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1044FE0A D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104503C5 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WININET.dll!InternetConnectA 63019446 5 Bytes JMP 00130F54 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WININET.dll!InternetConnectW 6301F4E2 5 Bytes JMP 00130FE0 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WININET.dll!InternetOpenA 6302B2D5 5 Bytes JMP 00130D24 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WININET.dll!InternetOpenW 6302B92E 5 Bytes JMP 00130DB0 .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 00130E3C .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 00130EC8 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] WS2_32.dll!socket 71A54211 5 Bytes JMP 001308C4 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] WS2_32.dll!bind 71A54480 5 Bytes JMP 00130838 .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[1980] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00130950 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe[2004] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2220] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2804] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000801A8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00080090 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00080694 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000802C0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00080234 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00080004 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0008011C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 000804F0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0008057C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 000803D8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0008034C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00080464 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00080608 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 000807AC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00080720 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] WS2_32.dll!socket 71A54211 5 Bytes JMP 000808C4 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] WS2_32.dll!bind 71A54480 5 Bytes JMP 00080838 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00080950 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001301A8 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00130090 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!WriteProcessMemory 7C802213 5 Bytes JMP 00130694 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001302C0 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00130234 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 00130004 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!VirtualAllocEx 7C809B02 5 Bytes JMP 0013011C .text D:\download\kwkimo3w.exe[3900] kernel32.dll!CreateRemoteThread 7C8104BC 5 Bytes JMP 001304F0 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!CreateThread 7C8106C7 5 Bytes JMP 0013057C .text D:\download\kwkimo3w.exe[3900] kernel32.dll!CreateProcessInternalW 7C81979C 5 Bytes JMP 001303D8 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!CreateProcessInternalA 7C81D536 5 Bytes JMP 0013034C .text D:\download\kwkimo3w.exe[3900] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00130464 .text D:\download\kwkimo3w.exe[3900] kernel32.dll!SetThreadContext 7C863AA9 5 Bytes JMP 00130608 .text D:\download\kwkimo3w.exe[3900] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 001307AC .text D:\download\kwkimo3w.exe[3900] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00130720 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp SbFw.sys (Sunbelt Personal Firewall driver/Sunbelt Software, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBB 0x63 0x16 0x0B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBB 0x63 0x16 0x0B ... ---- EOF - GMER 1.0.15 ----