GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-09 18:44:39 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250318AS rev.CC44 232,88GB Running: o5d7n7mo.exe; Driver: C:\DOCUME~1\Kamilek\USTAWI~1\Temp\agnyipog.sys ---- System - GMER 2.1 ---- INT 0x62 ? 89BCCCB8 INT 0x63 ? 899D3CB8 INT 0x73 ? 89BCCCB8 INT 0x73 ? 89BCCCB8 INT 0x73 ? 89BCCCB8 INT 0xB4 ? 899D3CB8 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xBA783B2E] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB892F360, 0x32598D, 0xE8000020] ? C:\WINDOWS\System32\Drivers\a52smrf1.SYS suspicious PE modification ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\RTHDCPL.EXE[484] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02CE6390 .text C:\WINDOWS\RTHDCPL.EXE[484] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02CE6640 .text C:\WINDOWS\RTHDCPL.EXE[484] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 02CE53D0 .text C:\WINDOWS\RTHDCPL.EXE[484] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02CE5300 .text C:\WINDOWS\RTHDCPL.EXE[484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CE11C0 .text C:\WINDOWS\RTHDCPL.EXE[484] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02CE1290 .text C:\WINDOWS\RTHDCPL.EXE[484] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02CE2570 .text C:\WINDOWS\RTHDCPL.EXE[484] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02CE1000 .text C:\WINDOWS\RTHDCPL.EXE[484] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 02CE10A0 .text C:\WINDOWS\RTHDCPL.EXE[484] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02CE2510 .text C:\WINDOWS\RTHDCPL.EXE[484] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02CE1D10 .text C:\WINDOWS\RTHDCPL.EXE[484] WS2_32.dll!send 71A54C27 5 Bytes JMP 02CE7250 .text C:\WINDOWS\RTHDCPL.EXE[484] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 02CE20A0 .text C:\WINDOWS\RTHDCPL.EXE[484] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 02CE23A0 .text C:\WINDOWS\RTHDCPL.EXE[484] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02CE2160 .text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02636390 .text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02636640 .text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 026353D0 .text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02635300 .text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 026311C0 .text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02631290 .text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02632570 .text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02631000 .text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 026310A0 .text C:\WINDOWS\Explorer.EXE[520] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02632510 .text C:\WINDOWS\Explorer.EXE[520] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 026320A0 .text C:\WINDOWS\Explorer.EXE[520] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 026323A0 .text C:\WINDOWS\Explorer.EXE[520] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02632160 .text C:\WINDOWS\Explorer.EXE[520] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02631D10 .text C:\WINDOWS\Explorer.EXE[520] WS2_32.dll!send 71A54C27 5 Bytes JMP 02637250 .text C:\WINDOWS\System32\alg.exe[652] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00CD6390 .text C:\WINDOWS\System32\alg.exe[652] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00CD6640 .text C:\WINDOWS\System32\alg.exe[652] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00CD53D0 .text C:\WINDOWS\System32\alg.exe[652] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00CD5300 .text C:\WINDOWS\System32\alg.exe[652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CD11C0 .text C:\WINDOWS\System32\alg.exe[652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CD1290 .text C:\WINDOWS\System32\alg.exe[652] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00CD2570 .text C:\WINDOWS\System32\alg.exe[652] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00CD1000 .text C:\WINDOWS\System32\alg.exe[652] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00CD10A0 .text C:\WINDOWS\System32\alg.exe[652] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00CD2510 .text C:\WINDOWS\System32\alg.exe[652] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00CD1D10 .text C:\WINDOWS\System32\alg.exe[652] WS2_32.dll!send 71A54C27 5 Bytes JMP 00CD7250 .text C:\WINDOWS\System32\alg.exe[652] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00CD20A0 .text C:\WINDOWS\System32\alg.exe[652] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00CD23A0 .text C:\WINDOWS\System32\alg.exe[652] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00CD2160 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00BC6390 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00BC6640 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00BC53D0 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00BC5300 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC11C0 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BC1290 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00BC2570 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00BC1000 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00BC10A0 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00BC2510 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00BC1D10 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BC7250 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00BC20A0 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00BC23A0 .text C:\WINDOWS\system32\RUNDLL32.EXE[852] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00BC2160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00A46390 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00A46640 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00A453D0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A45300 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A411C0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A41290 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00A42570 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00A41000 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00A410A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00A42510 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00A420A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00A423A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00A42160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00A41D10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[868] WS2_32.dll!send 71A54C27 5 Bytes JMP 00A47250 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01666390 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01666640 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 016653D0 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01665300 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 016611C0 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01661290 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01662570 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01661000 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 016610A0 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01662510 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01661D10 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] WS2_32.dll!send 71A54C27 5 Bytes JMP 01667250 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 016620A0 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 016623A0 .text C:\Program Files\ESET\ESET Smart Security\egui.exe[912] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01662160 .text C:\WINDOWS\system32\csrss.exe[924] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 013B6390 .text C:\WINDOWS\system32\csrss.exe[924] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 013B6640 .text C:\WINDOWS\system32\csrss.exe[924] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 013B53D0 .text C:\WINDOWS\system32\csrss.exe[924] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 013B5300 .text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 013B11C0 .text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CreateFileW 7C8107F0 5 Bytes JMP 013B1290 .text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!MoveFileW 7C821249 5 Bytes JMP 013B2570 .text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CopyFileA 7C8286D6 5 Bytes JMP 013B1000 .text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!CopyFileW 7C82F863 5 Bytes JMP 013B10A0 .text C:\WINDOWS\system32\csrss.exe[924] KERNEL32.dll!MoveFileA 7C835EA7 5 Bytes JMP 013B2510 .text C:\WINDOWS\system32\csrss.exe[924] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 013B1D10 .text C:\WINDOWS\system32\csrss.exe[924] WS2_32.dll!send 71A54C27 5 Bytes JMP 013B7250 .text C:\WINDOWS\system32\csrss.exe[924] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 013B20A0 .text C:\WINDOWS\system32\csrss.exe[924] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 013B23A0 .text C:\WINDOWS\system32\csrss.exe[924] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 013B2160 .text C:\WINDOWS\system32\winlogon.exe[948] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01AA6390 .text C:\WINDOWS\system32\winlogon.exe[948] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01AA6640 .text C:\WINDOWS\system32\winlogon.exe[948] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 01AA53D0 .text C:\WINDOWS\system32\winlogon.exe[948] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01AA5300 .text C:\WINDOWS\system32\winlogon.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01AA11C0 .text C:\WINDOWS\system32\winlogon.exe[948] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01AA1290 .text C:\WINDOWS\system32\winlogon.exe[948] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01AA2570 .text C:\WINDOWS\system32\winlogon.exe[948] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01AA1000 .text C:\WINDOWS\system32\winlogon.exe[948] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 01AA10A0 .text C:\WINDOWS\system32\winlogon.exe[948] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01AA2510 .text C:\WINDOWS\system32\winlogon.exe[948] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01AA1D10 .text C:\WINDOWS\system32\winlogon.exe[948] WS2_32.dll!send 71A54C27 5 Bytes JMP 01AA7250 .text C:\WINDOWS\system32\winlogon.exe[948] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 01AA20A0 .text C:\WINDOWS\system32\winlogon.exe[948] WININET.dll!InternetWriteFile 771E8BB9 3 Bytes JMP 01AA23A0 .text C:\WINDOWS\system32\winlogon.exe[948] WININET.dll!InternetWriteFile + 4 771E8BBD 1 Byte [8A] .text C:\WINDOWS\system32\winlogon.exe[948] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01AA2160 .text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00CB6390 .text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00CB6640 .text C:\WINDOWS\system32\services.exe[992] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00CB53D0 .text C:\WINDOWS\system32\services.exe[992] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00CB5300 .text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB11C0 .text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB1290 .text C:\WINDOWS\system32\services.exe[992] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00CB2570 .text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00CB1000 .text C:\WINDOWS\system32\services.exe[992] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00CB10A0 .text C:\WINDOWS\system32\services.exe[992] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00CB2510 .text C:\WINDOWS\system32\services.exe[992] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00CB1D10 .text C:\WINDOWS\system32\services.exe[992] WS2_32.dll!send 71A54C27 5 Bytes JMP 00CB7250 .text C:\WINDOWS\system32\services.exe[992] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00CB20A0 .text C:\WINDOWS\system32\services.exe[992] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00CB23A0 .text C:\WINDOWS\system32\services.exe[992] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00CB2160 .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02466390 .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02466640 .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 024653D0 .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02465300 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024611C0 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02461290 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02462570 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02461000 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 024610A0 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02462510 .text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02461D10 .text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!send 71A54C27 5 Bytes JMP 02467250 .text C:\WINDOWS\system32\svchost.exe[1168] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 024620A0 .text C:\WINDOWS\system32\svchost.exe[1168] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 024623A0 .text C:\WINDOWS\system32\svchost.exe[1168] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02462160 .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E06390 .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E06640 .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E053D0 .text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E05300 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E011C0 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E01290 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E02570 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E01000 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E010A0 .text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E02510 .text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E01D10 .text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E07250 .text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00E020A0 .text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00E023A0 .text C:\WINDOWS\system32\svchost.exe[1216] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00E02160 .text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 03476390 .text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 03476640 .text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 021DADDD .text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 034753D0 .text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 03475300 .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 034711C0 .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03471290 .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 03472570 .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 03471000 .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 034710A0 .text C:\WINDOWS\System32\svchost.exe[1256] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 03472510 .text C:\WINDOWS\System32\svchost.exe[1256] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 021DAD74 .text C:\WINDOWS\System32\svchost.exe[1256] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 03471D10 .text C:\WINDOWS\System32\svchost.exe[1256] WS2_32.dll!send 71A54C27 5 Bytes JMP 03477250 .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 034720A0 .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 034723A0 .text C:\WINDOWS\System32\svchost.exe[1256] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 03472160 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00C16390 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00C16640 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00C153D0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C15300 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C111C0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C11290 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00C12570 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00C11000 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00C110A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00C12510 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00C11D10 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C17250 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00C120A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00C123A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\regsrv34.exe[1280] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00C12160 .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00D36390 .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00D36640 .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 0082ADDD .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00D353D0 .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00D35300 .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D311C0 .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D31290 .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00D32570 .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00D31000 .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00D310A0 .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00D32510 .text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00D31D10 .text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D37250 .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00D320A0 .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00D323A0 .text C:\WINDOWS\system32\svchost.exe[1360] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00D32160 .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E76390 .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E76640 .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E753D0 .text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E75300 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E711C0 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E71290 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E72570 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E71000 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E710A0 .text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E72510 .text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E71D10 .text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E77250 .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00E720A0 .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00E723A0 .text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00E72160 .text C:\WINDOWS\system32\spoolsv.exe[1548] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01386390 .text C:\WINDOWS\system32\spoolsv.exe[1548] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01386640 .text C:\WINDOWS\system32\spoolsv.exe[1548] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 013853D0 .text C:\WINDOWS\system32\spoolsv.exe[1548] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01385300 .text C:\WINDOWS\system32\spoolsv.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013811C0 .text C:\WINDOWS\system32\spoolsv.exe[1548] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01381290 .text C:\WINDOWS\system32\spoolsv.exe[1548] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01382570 .text C:\WINDOWS\system32\spoolsv.exe[1548] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01381000 .text C:\WINDOWS\system32\spoolsv.exe[1548] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 013810A0 .text C:\WINDOWS\system32\spoolsv.exe[1548] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01382510 .text C:\WINDOWS\system32\spoolsv.exe[1548] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01381D10 .text C:\WINDOWS\system32\spoolsv.exe[1548] WS2_32.dll!send 71A54C27 5 Bytes JMP 01387250 .text C:\WINDOWS\system32\spoolsv.exe[1548] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 013820A0 .text C:\WINDOWS\system32\spoolsv.exe[1548] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 013823A0 .text C:\WINDOWS\system32\spoolsv.exe[1548] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01382160 .text C:\WINDOWS\system32\rundll32.exe[1588] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00AE6390 .text C:\WINDOWS\system32\rundll32.exe[1588] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00AE6640 .text C:\WINDOWS\system32\rundll32.exe[1588] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00AE53D0 .text C:\WINDOWS\system32\rundll32.exe[1588] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE5300 .text C:\WINDOWS\system32\rundll32.exe[1588] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE11C0 .text C:\WINDOWS\system32\rundll32.exe[1588] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AE1290 .text C:\WINDOWS\system32\rundll32.exe[1588] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00AE2570 .text C:\WINDOWS\system32\rundll32.exe[1588] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00AE1000 .text C:\WINDOWS\system32\rundll32.exe[1588] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00AE10A0 .text C:\WINDOWS\system32\rundll32.exe[1588] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00AE2510 .text C:\WINDOWS\system32\rundll32.exe[1588] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00AE1D10 .text C:\WINDOWS\system32\rundll32.exe[1588] WS2_32.dll!send 71A54C27 5 Bytes JMP 00AE7250 .text C:\WINDOWS\system32\rundll32.exe[1588] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00AE20A0 .text C:\WINDOWS\system32\rundll32.exe[1588] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00AE23A0 .text C:\WINDOWS\system32\rundll32.exe[1588] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00AE2160 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02446390 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02446640 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 024453D0 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02445300 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024411C0 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02441290 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02442570 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02441000 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 024410A0 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02442510 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02441D10 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] WS2_32.dll!send 71A54C27 5 Bytes JMP 02447250 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 024420A0 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 024423A0 .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1700] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02442160 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01DA6390 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01DA6640 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 01DA53D0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01DA5300 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01DA11C0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01DA1290 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01DA2570 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01DA1000 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 01DA10A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01DA2510 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01DA1D10 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] WS2_32.dll!send 71A54C27 5 Bytes JMP 01DA7250 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 01DA20A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 01DA23A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1744] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01DA2160 .text C:\WINDOWS\system32\nvsvc32.exe[1788] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01036390 .text C:\WINDOWS\system32\nvsvc32.exe[1788] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01036640 .text C:\WINDOWS\system32\nvsvc32.exe[1788] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 010353D0 .text C:\WINDOWS\system32\nvsvc32.exe[1788] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01035300 .text C:\WINDOWS\system32\nvsvc32.exe[1788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010311C0 .text C:\WINDOWS\system32\nvsvc32.exe[1788] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01031290 .text C:\WINDOWS\system32\nvsvc32.exe[1788] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01032570 .text C:\WINDOWS\system32\nvsvc32.exe[1788] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01031000 .text C:\WINDOWS\system32\nvsvc32.exe[1788] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 010310A0 .text C:\WINDOWS\system32\nvsvc32.exe[1788] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01032510 .text C:\WINDOWS\system32\nvsvc32.exe[1788] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01031D10 .text C:\WINDOWS\system32\nvsvc32.exe[1788] WS2_32.dll!send 71A54C27 5 Bytes JMP 01037250 .text C:\WINDOWS\system32\nvsvc32.exe[1788] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 010320A0 .text C:\WINDOWS\system32\nvsvc32.exe[1788] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 010323A0 .text C:\WINDOWS\system32\nvsvc32.exe[1788] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01032160 .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00CB6390 .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00CB6640 .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00CB53D0 .text C:\WINDOWS\system32\svchost.exe[1828] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00CB5300 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB11C0 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB1290 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00CB2570 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00CB1000 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00CB10A0 .text C:\WINDOWS\system32\svchost.exe[1828] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00CB2510 .text C:\WINDOWS\system32\svchost.exe[1828] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00CB1D10 .text C:\WINDOWS\system32\svchost.exe[1828] WS2_32.dll!send 71A54C27 5 Bytes JMP 00CB7250 .text C:\WINDOWS\system32\svchost.exe[1828] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00CB20A0 .text C:\WINDOWS\system32\svchost.exe[1828] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00CB23A0 .text C:\WINDOWS\system32\svchost.exe[1828] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00CB2160 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B26390 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B26640 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B253D0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B25300 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B211C0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B21290 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B22570 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B21000 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B210A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B22510 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] wininet.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B220A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] wininet.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B223A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] wininet.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B22160 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B21D10 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{E9CE56E8-E32C-489E-ABBE-7B863C63AD13}\winsyn64.exe[3308] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B27250 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B26390 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B26640 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B253D0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B25300 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B211C0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B21290 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B22570 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B21000 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B210A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B22510 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] wininet.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B220A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] wininet.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B223A0 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] wininet.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B22160 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B21D10 .text C:\Documents and Settings\Kamilek\Dane aplikacji\{88EED464-348D-42CD-A8B4-261D5EA21876}\winsyn.exe[3468] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B27250 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0187D180 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01BC6B9C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01BC6B79 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 0188F84B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01BC6AFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Program Files\Mozilla Firefox\firefox.exe[12232] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Documents and Settings\Kamilek\Moje dokumenty\Pobieranie\o5d7n7mo.exe[24876] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 89BCB1E8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{AF580727-6BDA-4393-8124-BA420E8028E1} 885251E8 AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys Device \Driver\PCI_PNP7678 \Device\00000043 sptd.sys Device \Driver\PCI_PNP7678 \Device\00000043 sptd.sys Device \Driver\usbohci \Device\USBPDO-0 89A5E430 Device \Driver\usbohci \Device\USBPDO-1 89A5E430 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys Device \Driver\Cdrom \Device\CdRom0 898BE1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [BA5F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [BA5F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [BA5F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [BA5F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [BA5F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [BA5F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 898BE1E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 885251E8 Device \Driver\NetBT \Device\NetbiosSmb 885251E8 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys Device \Driver\usbohci \Device\USBFDO-0 89A5E430 Device \Driver\usbohci \Device\USBFDO-1 89A5E430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 885061E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 885061E8 Device \Driver\a52smrf1 \Device\Scsi\a52smrf11Port4Path0Target0Lun0 89B4E1E8 Device \Driver\a52smrf1 \Device\Scsi\a52smrf11 89B4E1E8 Device \FileSystem\Cdfs \Cdfs 895CF430 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCE 0xB2 0x7A 0x87 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x4E 0xED 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFF 0xB7 0xCE 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC8 0xD1 0x92 0x68 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xCE 0xB2 0x7A 0x87 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0x07 0x29 0xDD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFF 0xB7 0xCE 0x2D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCA 0x33 0x74 0x40 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Dgmiml C:\Documents and Settings\Kamilek\Dane aplikacji\Dgmiml.exe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Bhmimj C:\Documents and Settings\Kamilek\Dane aplikacji\Bhmimj.exe Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Kamilek\Dane aplikacji\Dgmiml.exe Dgmiml Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Kamilek\Dane aplikacji\Bhmimj.exe Bhmimj ---- EOF - GMER 2.1 ----