GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-14 16:04:51 Windows 6.1.7601 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3808110AS rev.2AAA Running: kwyeqy6r.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\pgddqpoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwCreateThread [0x8E57DE7C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x8E57DE96] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwLoadDriver [0x8E57E1AC] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x8E57DBBC] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwOpenSection [0x8E57E5DE] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwRenameKey [0x8E57F87C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwSetSystemInformation [0x8E57E42E] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwSuspendProcess [0x8E57DA3C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwSuspendThread [0x8E57DEB0] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwSystemDebugControl [0x8E57E032] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwTerminateProcess [0x8E57D996] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwTerminateThread [0x8E57DAF6] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x8E57DF76] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 8288E3D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828C7D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 828CEEF8 8 Bytes [7C, DE, 57, 8E, 96, DE, 57, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 828CF008 4 Bytes [AC, E1, 57, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1347 828CF03C 4 Bytes [BC, DB, 57, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 828CF0A4 4 Bytes [DE, E5, 57, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 152F 828CF224 4 Bytes [7C, F8, 57, 8E] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F430000, 0x267978, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\wininit.exe[416] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0018000C .text C:\Windows\system32\wininit.exe[416] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0018100C .text C:\Windows\system32\wininit.exe[416] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0018200C .text C:\Windows\system32\wininit.exe[416] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0018300C .text C:\Windows\system32\wininit.exe[416] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0018400C .text C:\Windows\system32\wininit.exe[416] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0018500C .text C:\Windows\system32\wininit.exe[416] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0018A00C .text C:\Windows\system32\wininit.exe[416] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0018600C .text C:\Windows\system32\wininit.exe[416] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0018800C .text C:\Windows\system32\wininit.exe[416] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0018900C .text C:\Windows\system32\wininit.exe[416] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0018700C .text C:\Windows\system32\lsass.exe[500] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 000D000C .text C:\Windows\system32\lsass.exe[500] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 000D100C .text C:\Windows\system32\lsass.exe[500] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 000D200C .text C:\Windows\system32\lsass.exe[500] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 000D300C .text C:\Windows\system32\lsass.exe[500] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 000D400C .text C:\Windows\system32\lsass.exe[500] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 000D600C .text C:\Windows\system32\lsass.exe[500] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 000D800C .text C:\Windows\system32\lsass.exe[500] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 000D900C .text C:\Windows\system32\lsass.exe[500] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 000D700C .text C:\Windows\system32\lsass.exe[500] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 000D500C .text C:\Windows\system32\lsass.exe[500] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 000DA00C .text C:\Windows\system32\lsm.exe[508] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 001F000C .text C:\Windows\system32\lsm.exe[508] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 001F100C .text C:\Windows\system32\lsm.exe[508] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 001F200C .text C:\Windows\system32\lsm.exe[508] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 001F300C .text C:\Windows\system32\lsm.exe[508] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 001F400C .text C:\Windows\system32\lsm.exe[508] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 001F600C .text C:\Windows\system32\lsm.exe[508] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 001F800C .text C:\Windows\system32\lsm.exe[508] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 001F900C .text C:\Windows\system32\lsm.exe[508] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 001F700C .text C:\Windows\system32\lsm.exe[508] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 001F500C .text C:\Windows\system32\lsm.exe[508] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 001FA00C .text C:\Windows\system32\winlogon.exe[520] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0082000C .text C:\Windows\system32\winlogon.exe[520] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0082100C .text C:\Windows\system32\winlogon.exe[520] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0082200C .text C:\Windows\system32\winlogon.exe[520] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0082300C .text C:\Windows\system32\winlogon.exe[520] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0082400C .text C:\Windows\system32\winlogon.exe[520] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0082500C .text C:\Windows\system32\winlogon.exe[520] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0082B00C .text C:\Windows\system32\winlogon.exe[520] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0082600C .text C:\Windows\system32\winlogon.exe[520] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0082800C .text C:\Windows\system32\winlogon.exe[520] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0082900C .text C:\Windows\system32\winlogon.exe[520] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0082700C .text C:\Windows\system32\winlogon.exe[520] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0082A00C .text C:\Windows\system32\svchost.exe[648] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 002B000C .text C:\Windows\system32\svchost.exe[648] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 002B100C .text C:\Windows\system32\svchost.exe[648] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 002B200C .text C:\Windows\system32\svchost.exe[716] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0044000C .text C:\Windows\system32\svchost.exe[716] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0044100C .text C:\Windows\system32\svchost.exe[716] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0044200C .text C:\Windows\system32\Ati2evxx.exe[764] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 003A000C .text C:\Windows\system32\Ati2evxx.exe[764] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 003A100C .text C:\Windows\system32\Ati2evxx.exe[764] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 003A200C .text C:\Windows\system32\Ati2evxx.exe[764] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 003A300C .text C:\Windows\system32\Ati2evxx.exe[764] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 003A400C .text C:\Windows\system32\Ati2evxx.exe[764] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 003A500C .text C:\Windows\system32\Ati2evxx.exe[764] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 003AB00C .text C:\Windows\system32\Ati2evxx.exe[764] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 003AA00C .text C:\Windows\system32\Ati2evxx.exe[764] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 003A600C .text C:\Windows\system32\Ati2evxx.exe[764] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 003A800C .text C:\Windows\system32\Ati2evxx.exe[764] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 003A900C .text C:\Windows\system32\Ati2evxx.exe[764] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 003A700C .text C:\Windows\System32\svchost.exe[796] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 00E9000C .text C:\Windows\System32\svchost.exe[796] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 00E9100C .text C:\Windows\System32\svchost.exe[796] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 00E9200C .text C:\Windows\System32\svchost.exe[912] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0095000C .text C:\Windows\System32\svchost.exe[912] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0095100C .text C:\Windows\System32\svchost.exe[912] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0095200C .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 00B3000C .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 00B3100C .text C:\Windows\system32\svchost.exe[952] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 00B3200C .text C:\Windows\system32\svchost.exe[1096] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0043000C .text C:\Windows\system32\svchost.exe[1096] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0043100C .text C:\Windows\system32\svchost.exe[1096] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0043200C .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 001F000C .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 001F100C .text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 001F200C .text C:\Windows\system32\Dwm.exe[1424] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 00B7000C .text C:\Windows\system32\Dwm.exe[1424] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 00B7100C .text C:\Windows\system32\Dwm.exe[1424] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 00B7200C .text C:\Windows\system32\Dwm.exe[1424] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 00B7300C .text C:\Windows\system32\Dwm.exe[1424] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 00B7400C .text C:\Windows\system32\Dwm.exe[1424] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 00B7500C .text C:\Windows\system32\Dwm.exe[1424] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 00B7B00C .text C:\Windows\system32\Dwm.exe[1424] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 00B7600C .text C:\Windows\system32\Dwm.exe[1424] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 00B7800C .text C:\Windows\system32\Dwm.exe[1424] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 00B7900C .text C:\Windows\system32\Dwm.exe[1424] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 00B7700C .text C:\Windows\system32\Dwm.exe[1424] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 00B7A00C .text C:\Windows\Explorer.EXE[1436] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0393000C .text C:\Windows\Explorer.EXE[1436] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0393100C .text C:\Windows\Explorer.EXE[1436] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0393200C .text C:\Windows\Explorer.EXE[1436] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0393300C .text C:\Windows\Explorer.EXE[1436] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0393400C .text C:\Windows\Explorer.EXE[1436] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0393600C .text C:\Windows\Explorer.EXE[1436] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0393800C .text C:\Windows\Explorer.EXE[1436] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0393900C .text C:\Windows\Explorer.EXE[1436] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0393700C .text C:\Windows\Explorer.EXE[1436] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0393500C .text C:\Windows\Explorer.EXE[1436] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0393B00C .text C:\Windows\Explorer.EXE[1436] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0393A00C .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 009E000C .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 009E100C .text C:\Windows\system32\taskhost.exe[1448] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 009E200C .text C:\Windows\system32\taskhost.exe[1448] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 009E300C .text C:\Windows\system32\taskhost.exe[1448] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 009E400C .text C:\Windows\system32\taskhost.exe[1448] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 009EA00C .text C:\Windows\system32\taskhost.exe[1448] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 009E500C .text C:\Windows\system32\taskhost.exe[1448] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 009EB00C .text C:\Windows\system32\taskhost.exe[1448] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 009E600C .text C:\Windows\system32\taskhost.exe[1448] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 009E800C .text C:\Windows\system32\taskhost.exe[1448] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 009E900C .text C:\Windows\system32\taskhost.exe[1448] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 009E700C .text C:\Windows\system32\svchost.exe[1484] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 008E000C .text C:\Windows\system32\svchost.exe[1484] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 008E100C .text C:\Windows\system32\svchost.exe[1484] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 008E200C .text C:\Windows\SOUNDMAN.EXE[1648] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0018000C .text C:\Windows\SOUNDMAN.EXE[1648] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0018100C .text C:\Windows\SOUNDMAN.EXE[1648] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0018200C .text C:\Windows\SOUNDMAN.EXE[1648] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0018300C .text C:\Windows\SOUNDMAN.EXE[1648] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0018400C .text C:\Windows\SOUNDMAN.EXE[1648] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0018600C .text C:\Windows\SOUNDMAN.EXE[1648] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0018800C .text C:\Windows\SOUNDMAN.EXE[1648] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0018900C .text C:\Windows\SOUNDMAN.EXE[1648] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0018700C .text C:\Windows\SOUNDMAN.EXE[1648] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0018500C .text C:\Windows\SOUNDMAN.EXE[1648] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0018B00C .text C:\Windows\SOUNDMAN.EXE[1648] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0018A00C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 003F000C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 003F100C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 003F200C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 003F300C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 003F400C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 003F500C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 003FB00C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 003F600C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 003F800C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 003F900C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 003F700C .text C:\Windows\PixArt\Pac207\Monitor.exe[1668] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 003FA00C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 005B000C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 005B100C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 005B200C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 005B300C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 005B400C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 005B500C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 005BB00C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 005B600C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 005B800C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 005B900C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 005B700C .text C:\Program Files\Lexmark 3300 Series\lxccmon.exe[1676] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 005BA00C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0052000C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0052100C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0052200C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0052300C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0052400C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0052500C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0052B00C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0052A00C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0052600C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0052800C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0052900C .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1692] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0052700C .text C:\Program Files\BezpiecznyInternet\Common\FSM32.EXE[1708] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0282000C .text C:\Program Files\BezpiecznyInternet\Common\FSM32.EXE[1708] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0282100C .text C:\Program Files\BezpiecznyInternet\Common\FSM32.EXE[1708] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0282200C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0147000C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0147100C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0147200C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0147300C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0147400C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0147500C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0147B00C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0147600C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0147800C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0147900C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0147700C .text C:\Program Files\Lexmark 3300 Series\ezprint.exe[1716] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0147A00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 01D1000C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 01D1100C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 01D1200C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 01D1300C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 01D1400C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 01D1600C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 01D1800C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 01D1900C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 01D1700C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 01D1500C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 01D1B00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1724] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 01D1A00C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 001F000C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 001F100C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 001F200C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 001F300C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 001F400C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 001F600C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 001F800C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 001F900C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 001F700C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 001F500C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 001FB00C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1732] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 001FA00C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0034000C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0034100C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0034200C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0034300C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0034400C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0034500C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0034B00C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0034600C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0034800C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0034900C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0034700C .text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1748] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0034A00C .text C:\Windows\notepad.exe[1756] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0012000C .text C:\Windows\notepad.exe[1756] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0012100C .text C:\Windows\notepad.exe[1756] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0012200C .text C:\Windows\notepad.exe[1756] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0012300C .text C:\Windows\notepad.exe[1756] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0012400C .text C:\Windows\notepad.exe[1756] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0012600C .text C:\Windows\notepad.exe[1756] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0012800C .text C:\Windows\notepad.exe[1756] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0012900C .text C:\Windows\notepad.exe[1756] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0012700C .text C:\Windows\notepad.exe[1756] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0012500C .text C:\Windows\notepad.exe[1756] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0012B00C .text C:\Windows\notepad.exe[1756] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0012A00C .text C:\Windows\system32\Ati2evxx.exe[1840] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0066000C .text C:\Windows\system32\Ati2evxx.exe[1840] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0066100C .text C:\Windows\system32\Ati2evxx.exe[1840] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0066200C .text C:\Windows\system32\Ati2evxx.exe[1840] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0066300C .text C:\Windows\system32\Ati2evxx.exe[1840] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0066400C .text C:\Windows\system32\Ati2evxx.exe[1840] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0066500C .text C:\Windows\system32\Ati2evxx.exe[1840] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0066B00C .text C:\Windows\system32\Ati2evxx.exe[1840] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0066A00C .text C:\Windows\system32\Ati2evxx.exe[1840] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0066600C .text C:\Windows\system32\Ati2evxx.exe[1840] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0066800C .text C:\Windows\system32\Ati2evxx.exe[1840] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0066900C .text C:\Windows\system32\Ati2evxx.exe[1840] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0066700C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0010000C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0010100C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0010200C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0010300C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0010400C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0010600C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0010800C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0010900C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0010700C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SetWindowLongA 776D8BA3 5 Bytes JMP 6677FB5F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0010500C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!SetWindowLongW 776E4449 5 Bytes JMP 6677FAEE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!GetWindowInfo 776E4B5E 5 Bytes JMP 6655A76C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!TrackPopupMenu 776F2228 5 Bytes JMP 6655AD79 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0010B00C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0010A00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0019000C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0019100C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0019200C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0019300C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0019400C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0019500C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0019B00C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0019600C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0019800C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0019900C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0019700C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2112] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0019A00C .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 002C000C .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 002C100C .text C:\Windows\system32\svchost.exe[2172] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 002C200C .text F:\TORRENT\kwyeqy6r.exe[2252] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 001E000C .text F:\TORRENT\kwyeqy6r.exe[2252] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 001E100C .text F:\TORRENT\kwyeqy6r.exe[2252] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 001E200C .text F:\TORRENT\kwyeqy6r.exe[2252] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 001E300C .text F:\TORRENT\kwyeqy6r.exe[2252] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 001E400C .text F:\TORRENT\kwyeqy6r.exe[2252] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 001E500C .text F:\TORRENT\kwyeqy6r.exe[2252] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 001E600C .text C:\Windows\system32\lxcccoms.exe[2280] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 005A000C .text C:\Windows\system32\lxcccoms.exe[2280] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 005A100C .text C:\Windows\system32\lxcccoms.exe[2280] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 005A200C .text C:\Windows\system32\lxcccoms.exe[2280] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 005A300C .text C:\Windows\system32\lxcccoms.exe[2280] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 005A400C .text C:\Windows\system32\lxcccoms.exe[2280] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 005A500C .text C:\Windows\system32\lxcccoms.exe[2280] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 005AB00C .text C:\Windows\system32\lxcccoms.exe[2280] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 005A600C .text C:\Windows\system32\lxcccoms.exe[2280] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 005A800C .text C:\Windows\system32\lxcccoms.exe[2280] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 005A900C .text C:\Windows\system32\lxcccoms.exe[2280] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 005A700C .text C:\Windows\system32\lxcccoms.exe[2280] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 005AA00C .text C:\Windows\system32\PnkBstrA.exe[2360] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 003F000C .text C:\Windows\system32\PnkBstrA.exe[2360] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 003F100C .text C:\Windows\system32\PnkBstrA.exe[2360] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 003F200C .text C:\Windows\system32\PnkBstrA.exe[2360] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 003F300C .text C:\Windows\system32\PnkBstrA.exe[2360] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 003F400C .text C:\Windows\system32\PnkBstrA.exe[2360] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 003F500C .text C:\Windows\system32\PnkBstrA.exe[2360] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 003FB00C .text C:\Windows\system32\PnkBstrA.exe[2360] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 003F600C .text C:\Windows\system32\PnkBstrA.exe[2360] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 003F800C .text C:\Windows\system32\PnkBstrA.exe[2360] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 003F900C .text C:\Windows\system32\PnkBstrA.exe[2360] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 003F700C .text C:\Windows\system32\PnkBstrA.exe[2360] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 003FA00C .text C:\Windows\system32\svchost.exe[2420] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0022000C .text C:\Windows\system32\svchost.exe[2420] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0022100C .text C:\Windows\system32\svchost.exe[2420] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0022200C .text C:\Windows\System32\svchost.exe[2980] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0014000C .text C:\Windows\System32\svchost.exe[2980] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0014100C .text C:\Windows\System32\svchost.exe[2980] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0014200C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0325000C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0325100C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0325200C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0325300C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0325400C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0325500C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0325B00C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0325A00C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ADVAPI32.dll!OpenServiceW 7670CA4C 5 Bytes JMP 0325600C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ADVAPI32.dll!CloseServiceHandle 7671369C 5 Bytes JMP 0325800C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ADVAPI32.dll!CreateServiceW 7672712C 5 Bytes JMP 0325900C .text C:\Program Files\Gadu-Gadu 10\gg.exe[3304] ADVAPI32.dll!ControlService 76727144 5 Bytes JMP 0325700C .text C:\Windows\system32\taskeng.exe[3828] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 0009000C .text C:\Windows\system32\taskeng.exe[3828] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 0009100C .text C:\Windows\system32\taskeng.exe[3828] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 0009200C .text C:\Windows\system32\taskeng.exe[3828] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 0009300C .text C:\Windows\system32\taskeng.exe[3828] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 0009400C .text C:\Windows\system32\taskeng.exe[3828] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 0009500C .text C:\Windows\system32\taskeng.exe[3828] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 0009700C .text C:\Windows\system32\taskeng.exe[3828] ole32.dll!CoCreateInstanceEx 764C9D4E 5 Bytes JMP 0009600C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] ntdll.dll!NtCreateProcess 77A25698 5 Bytes JMP 002F000C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] ntdll.dll!NtCreateProcessEx 77A256A8 5 Bytes JMP 002F100C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] ntdll.dll!NtCreateUserProcess 77A25778 5 Bytes JMP 002F200C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] ntdll.dll!LdrLoadDll 77A4223E 5 Bytes JMP 663D696F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] kernel32.dll!LoadLibraryExW 76665079 5 Bytes JMP 002F300C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] kernel32.dll!MapViewOfFile 766693DB 5 Bytes JMP 66680219 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] kernel32.dll!VirtualAlloc 7666C43A 5 Bytes JMP 66680240 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] kernel32.dll!TerminateThread 7667BC01 5 Bytes JMP 002F400C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] USER32.dll!SetWindowsHookExW 776DE30C 5 Bytes JMP 002F500C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] USER32.dll!DdeConnect 7771EB5B 5 Bytes JMP 002F600C .text C:\Program Files\Mozilla Firefox\firefox.exe[3992] GDI32.dll!CreateDIBSection 77B38850 5 Bytes JMP 666801A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----