GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-11 22:32:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST9120822AS rev.3.ALD 111,79GB Running: 82yztgwb.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\uwrcyaob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF67FF380, 0x2F1147, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01396390 .text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01396640 .text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 013953D0 .text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01395300 .text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 013911C0 .text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01391290 .text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!MoveFileW 7C821249 5 Bytes JMP 01392570 .text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01391000 .text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!CopyFileW 7C82F863 5 Bytes JMP 013910A0 .text C:\WINDOWS\system32\csrss.exe[712] KERNEL32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01392510 .text C:\WINDOWS\system32\csrss.exe[712] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01391D10 .text C:\WINDOWS\system32\csrss.exe[712] WS2_32.dll!send 71A54C27 5 Bytes JMP 01397250 .text C:\WINDOWS\system32\csrss.exe[712] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 013920A0 .text C:\WINDOWS\system32\csrss.exe[712] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 013923A0 .text C:\WINDOWS\system32\csrss.exe[712] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 01392160 .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 022B6390 .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 022B6640 .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 022B53D0 .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 022B5300 .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022B11C0 .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 022B1290 .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 022B2570 .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 022B1000 .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 022B10A0 .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 022B2510 .text C:\WINDOWS\system32\winlogon.exe[740] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 022B1D10 .text C:\WINDOWS\system32\winlogon.exe[740] WS2_32.dll!send 71A54C27 5 Bytes JMP 022B7250 .text C:\WINDOWS\system32\winlogon.exe[740] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 022B20A0 .text C:\WINDOWS\system32\winlogon.exe[740] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 022B23A0 .text C:\WINDOWS\system32\winlogon.exe[740] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 022B2160 .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E66390 .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E66640 .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E653D0 .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E65300 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E611C0 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E61290 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E62570 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E61000 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E610A0 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E62510 .text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E61D10 .text C:\WINDOWS\system32\services.exe[784] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E67250 .text C:\WINDOWS\system32\services.exe[784] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00E620A0 .text C:\WINDOWS\system32\services.exe[784] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00E623A0 .text C:\WINDOWS\system32\services.exe[784] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00E62160 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00BB6390 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00BB6640 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00BB53D0 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00BB5300 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB11C0 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BB1290 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00BB2570 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00BB1000 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00BB10A0 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00BB2510 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00BB20A0 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00BB23A0 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00BB2160 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00BB1D10 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[840] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BB7250 .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02896390 .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02896640 .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 028953D0 .text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02895300 .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028911C0 .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02891290 .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02892570 .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02891000 .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 028910A0 .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02892510 .text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02891D10 .text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!send 71A54C27 5 Bytes JMP 02897250 .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 028920A0 .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 028923A0 .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 02892160 .text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00F86390 .text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00F86640 .text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00F853D0 .text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00F85300 .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F811C0 .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F81290 .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00F82570 .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00F81000 .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00F810A0 .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00F82510 .text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00F81D10 .text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F87250 .text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00F820A0 .text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00F823A0 .text C:\WINDOWS\system32\svchost.exe[996] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00F82160 .text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 03EB6390 .text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 03EB6640 .text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 0273ADDD .text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 03EB53D0 .text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 03EB5300 .text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03EB11C0 .text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03EB1290 .text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 03EB2570 .text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 03EB1000 .text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 03EB10A0 .text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 03EB2510 .text C:\WINDOWS\System32\svchost.exe[1036] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 0273AD74 .text C:\WINDOWS\System32\svchost.exe[1036] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 03EB1D10 .text C:\WINDOWS\System32\svchost.exe[1036] WS2_32.dll!send 71A54C27 5 Bytes JMP 03EB7250 .text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 03EB20A0 .text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 03EB23A0 .text C:\WINDOWS\System32\svchost.exe[1036] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 03EB2160 .text C:\WINDOWS\System32\WScript.exe[1060] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 011C6390 .text C:\WINDOWS\System32\WScript.exe[1060] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 011C6640 .text C:\WINDOWS\System32\WScript.exe[1060] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 011C53D0 .text C:\WINDOWS\System32\WScript.exe[1060] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 011C5300 .text C:\WINDOWS\System32\WScript.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011C11C0 .text C:\WINDOWS\System32\WScript.exe[1060] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011C1290 .text C:\WINDOWS\System32\WScript.exe[1060] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 011C2570 .text C:\WINDOWS\System32\WScript.exe[1060] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 011C1000 .text C:\WINDOWS\System32\WScript.exe[1060] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 011C10A0 .text C:\WINDOWS\System32\WScript.exe[1060] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 011C2510 .text C:\WINDOWS\System32\WScript.exe[1060] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 011C1D10 .text C:\WINDOWS\System32\WScript.exe[1060] WS2_32.dll!send 71A54C27 5 Bytes JMP 011C7250 .text C:\WINDOWS\System32\WScript.exe[1060] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 011C20A0 .text C:\WINDOWS\System32\WScript.exe[1060] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 011C23A0 .text C:\WINDOWS\System32\WScript.exe[1060] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 011C2160 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01C1EEB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 0222979B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 02229778 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 01C24CE9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 022296F9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 001620A0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 001623A0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1108] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00162160 .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E36390 .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E36640 .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 0082ADDD .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E353D0 .text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E35300 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E311C0 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E31290 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E32570 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E31000 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E310A0 .text C:\WINDOWS\system32\svchost.exe[1132] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E32510 .text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E31D10 .text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E37250 .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00E320A0 .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00E323A0 .text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00E32160 .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01166390 .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01166640 .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 011653D0 .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01165300 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011611C0 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01161290 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01162570 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01161000 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 011610A0 .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01162510 .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01161D10 .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!send 71A54C27 5 Bytes JMP 01167250 .text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 011620A0 .text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 011623A0 .text C:\WINDOWS\system32\svchost.exe[1156] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 01162160 .text C:\WINDOWS\RTHDCPL.EXE[1280] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 048E6390 .text C:\WINDOWS\RTHDCPL.EXE[1280] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 048E6640 .text C:\WINDOWS\RTHDCPL.EXE[1280] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 048E53D0 .text C:\WINDOWS\RTHDCPL.EXE[1280] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 048E5300 .text C:\WINDOWS\RTHDCPL.EXE[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 048E11C0 .text C:\WINDOWS\RTHDCPL.EXE[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 048E1290 .text C:\WINDOWS\RTHDCPL.EXE[1280] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 048E2570 .text C:\WINDOWS\RTHDCPL.EXE[1280] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 048E1000 .text C:\WINDOWS\RTHDCPL.EXE[1280] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 048E10A0 .text C:\WINDOWS\RTHDCPL.EXE[1280] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 048E2510 .text C:\WINDOWS\RTHDCPL.EXE[1280] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 048E1D10 .text C:\WINDOWS\RTHDCPL.EXE[1280] WS2_32.dll!send 71A54C27 5 Bytes JMP 048E7250 .text C:\WINDOWS\RTHDCPL.EXE[1280] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 048E20A0 .text C:\WINDOWS\RTHDCPL.EXE[1280] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 048E23A0 .text C:\WINDOWS\RTHDCPL.EXE[1280] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 048E2160 .text C:\Program Files\Winamp\Winampa.exe[1284] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009D6390 .text C:\Program Files\Winamp\Winampa.exe[1284] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009D6640 .text C:\Program Files\Winamp\Winampa.exe[1284] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009D53D0 .text C:\Program Files\Winamp\Winampa.exe[1284] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009D5300 .text C:\Program Files\Winamp\Winampa.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D11C0 .text C:\Program Files\Winamp\Winampa.exe[1284] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009D1290 .text C:\Program Files\Winamp\Winampa.exe[1284] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 009D2570 .text C:\Program Files\Winamp\Winampa.exe[1284] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 009D1000 .text C:\Program Files\Winamp\Winampa.exe[1284] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 009D10A0 .text C:\Program Files\Winamp\Winampa.exe[1284] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 009D2510 .text C:\Program Files\Winamp\Winampa.exe[1284] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 009D1D10 .text C:\Program Files\Winamp\Winampa.exe[1284] WS2_32.dll!send 71A54C27 5 Bytes JMP 009D7250 .text C:\Program Files\Winamp\Winampa.exe[1284] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 009D20A0 .text C:\Program Files\Winamp\Winampa.exe[1284] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 009D23A0 .text C:\Program Files\Winamp\Winampa.exe[1284] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 009D2160 .text C:\WINDOWS\ghdrive32.exe[1300] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01226390 .text C:\WINDOWS\ghdrive32.exe[1300] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01226640 .text C:\WINDOWS\ghdrive32.exe[1300] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 012253D0 .text C:\WINDOWS\ghdrive32.exe[1300] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01225300 .text C:\WINDOWS\ghdrive32.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012211C0 .text C:\WINDOWS\ghdrive32.exe[1300] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01221290 .text C:\WINDOWS\ghdrive32.exe[1300] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01222570 .text C:\WINDOWS\ghdrive32.exe[1300] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01221000 .text C:\WINDOWS\ghdrive32.exe[1300] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 012210A0 .text C:\WINDOWS\ghdrive32.exe[1300] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01222510 .text C:\WINDOWS\ghdrive32.exe[1300] ws2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01221D10 .text C:\WINDOWS\ghdrive32.exe[1300] ws2_32.dll!send 71A54C27 5 Bytes JMP 01227250 .text C:\WINDOWS\ghdrive32.exe[1300] wininet.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 012220A0 .text C:\WINDOWS\ghdrive32.exe[1300] wininet.dll!InternetWriteFile 43643625 5 Bytes JMP 012223A0 .text C:\WINDOWS\ghdrive32.exe[1300] wininet.dll!HttpSendRequestW 43650805 5 Bytes JMP 01222160 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 011D6390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 011D6640 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 011D53D0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 011D5300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D11C0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 011D1290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 011D2570 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 011D1000 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 011D10A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 011D2510 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 011D1D10 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] WS2_32.dll!send 71A54C27 5 Bytes JMP 011D7250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 011D20A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 011D23A0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1368] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 011D2160 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00AE6390 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00AE6640 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00AE53D0 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE5300 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE11C0 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AE1290 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00AE2570 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00AE1000 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00AE10A0 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00AE2510 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00AE1D10 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] WS2_32.dll!send 71A54C27 5 Bytes JMP 00AE7250 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00AE20A0 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00AE23A0 .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[1420] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00AE2160 .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtEnumerateValueKey 7C90D2D0 3 Bytes JMP 01916390 .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtEnumerateValueKey + 4 7C90D2D4 1 Byte [85] .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtQueryDirectoryFile 7C90D750 3 Bytes JMP 01916640 .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtQueryDirectoryFile + 4 7C90D754 1 Byte [85] .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtResumeThread 7C90DB20 3 Bytes JMP 019153D0 .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!NtResumeThread + 4 7C90DB24 1 Byte [85] .text C:\WINDOWS\system32\spoolsv.exe[1500] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01915300 .text C:\WINDOWS\system32\spoolsv.exe[1500] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 019111C0 .text C:\WINDOWS\system32\spoolsv.exe[1500] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01911290 .text C:\WINDOWS\system32\spoolsv.exe[1500] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01912570 .text C:\WINDOWS\system32\spoolsv.exe[1500] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01911000 .text C:\WINDOWS\system32\spoolsv.exe[1500] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 019110A0 .text C:\WINDOWS\system32\spoolsv.exe[1500] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01912510 .text C:\WINDOWS\system32\spoolsv.exe[1500] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01911D10 .text C:\WINDOWS\system32\spoolsv.exe[1500] WS2_32.dll!send 71A54C27 5 Bytes JMP 01917250 .text C:\WINDOWS\system32\spoolsv.exe[1500] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 019120A0 .text C:\WINDOWS\system32\spoolsv.exe[1500] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 019123A0 .text C:\WINDOWS\system32\spoolsv.exe[1500] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 01912160 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00BD6390 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00BD6640 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00BD53D0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00BD5300 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD11C0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BD1290 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00BD2570 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00BD1000 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00BD10A0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00BD2510 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00BD1D10 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BD7250 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00BD20A0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00BD23A0 .text C:\WINDOWS\system32\RUNDLL32.EXE[1564] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00BD2160 .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 05D06390 .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 05D06640 .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 05D053D0 .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 05D05300 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05D011C0 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 05D01290 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 05D02570 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 05D01000 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 05D010A0 .text C:\WINDOWS\Explorer.EXE[1716] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 05D02510 .text C:\WINDOWS\Explorer.EXE[1716] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 05D020A0 .text C:\WINDOWS\Explorer.EXE[1716] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 05D023A0 .text C:\WINDOWS\Explorer.EXE[1716] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 05D02160 .text C:\WINDOWS\Explorer.EXE[1716] ws2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 05D01D10 .text C:\WINDOWS\Explorer.EXE[1716] ws2_32.dll!send 71A54C27 5 Bytes JMP 05D07250 .text [1760] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E06390 .text [1760] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E06640 .text [1760] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E053D0 .text [1760] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E05300 .text [1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E011C0 .text [1760] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E01290 .text [1760] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E02570 .text [1760] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E01000 .text [1760] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E010A0 .text [1760] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E02510 .text [1760] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E01D10 .text [1760] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E07250 .text [1760] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00E020A0 .text [1760] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00E023A0 .text [1760] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00E02160 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00696390 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00696640 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 006953D0 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00695300 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006911C0 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00691290 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00692570 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00691000 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 006910A0 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00692510 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00691D10 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] WS2_32.dll!send 71A54C27 5 Bytes JMP 00697250 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 006920A0 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 006923A0 .text C:\WINDOWS\system32\agrsmsvc.exe[1832] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00692160 .text C:\WINDOWS\system32\nvsvc32.exe[1868] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00FE6390 .text C:\WINDOWS\system32\nvsvc32.exe[1868] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00FE6640 .text C:\WINDOWS\system32\nvsvc32.exe[1868] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00FE53D0 .text C:\WINDOWS\system32\nvsvc32.exe[1868] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00FE5300 .text C:\WINDOWS\system32\nvsvc32.exe[1868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FE11C0 .text C:\WINDOWS\system32\nvsvc32.exe[1868] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FE1290 .text C:\WINDOWS\system32\nvsvc32.exe[1868] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00FE2570 .text C:\WINDOWS\system32\nvsvc32.exe[1868] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00FE1000 .text C:\WINDOWS\system32\nvsvc32.exe[1868] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00FE10A0 .text C:\WINDOWS\system32\nvsvc32.exe[1868] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00FE2510 .text C:\WINDOWS\system32\nvsvc32.exe[1868] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00FE1D10 .text C:\WINDOWS\system32\nvsvc32.exe[1868] WS2_32.dll!send 71A54C27 5 Bytes JMP 00FE7250 .text C:\WINDOWS\system32\nvsvc32.exe[1868] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00FE20A0 .text C:\WINDOWS\system32\nvsvc32.exe[1868] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00FE23A0 .text C:\WINDOWS\system32\nvsvc32.exe[1868] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00FE2160 .text C:\WINDOWS\system32\svchost.exe[1900] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E76390 .text C:\WINDOWS\system32\svchost.exe[1900] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E76640 .text C:\WINDOWS\system32\svchost.exe[1900] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E753D0 .text C:\WINDOWS\system32\svchost.exe[1900] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E75300 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E711C0 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E71290 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E72570 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E71000 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E710A0 .text C:\WINDOWS\system32\svchost.exe[1900] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E72510 .text C:\WINDOWS\system32\svchost.exe[1900] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E71D10 .text C:\WINDOWS\system32\svchost.exe[1900] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E77250 .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00E720A0 .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00E723A0 .text C:\WINDOWS\system32\svchost.exe[1900] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00E72160 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00526390 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00526640 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 005253D0 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00525300 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 005211C0 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00521290 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00522570 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00521000 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 005210A0 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00522510 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00521D10 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] WS2_32.dll!send 71A54C27 5 Bytes JMP 00527250 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 005220A0 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 005223A0 .text C:\WINDOWS\system32\UTSCSI.EXE[1916] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00522160 .text C:\WINDOWS\system32\svchost.exe[2204] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00D56390 .text C:\WINDOWS\system32\svchost.exe[2204] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00D56640 .text C:\WINDOWS\system32\svchost.exe[2204] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00D553D0 .text C:\WINDOWS\system32\svchost.exe[2204] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00D55300 .text C:\WINDOWS\system32\svchost.exe[2204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D511C0 .text C:\WINDOWS\system32\svchost.exe[2204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D51290 .text C:\WINDOWS\system32\svchost.exe[2204] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00D52570 .text C:\WINDOWS\system32\svchost.exe[2204] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00D51000 .text C:\WINDOWS\system32\svchost.exe[2204] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00D510A0 .text C:\WINDOWS\system32\svchost.exe[2204] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00D52510 .text C:\WINDOWS\system32\svchost.exe[2204] wininet.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00D520A0 .text C:\WINDOWS\system32\svchost.exe[2204] wininet.dll!InternetWriteFile 43643625 5 Bytes JMP 00D523A0 .text C:\WINDOWS\system32\svchost.exe[2204] wininet.dll!HttpSendRequestW 43650805 5 Bytes JMP 00D52160 .text C:\WINDOWS\system32\svchost.exe[2204] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00D51D10 .text C:\WINDOWS\system32\svchost.exe[2204] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D57250 .text C:\WINDOWS\system32\svchost.exe[2276] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00AE6390 .text C:\WINDOWS\system32\svchost.exe[2276] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00AE6640 .text C:\WINDOWS\system32\svchost.exe[2276] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00AE53D0 .text C:\WINDOWS\system32\svchost.exe[2276] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE5300 .text C:\WINDOWS\system32\svchost.exe[2276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE11C0 .text C:\WINDOWS\system32\svchost.exe[2276] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AE1290 .text C:\WINDOWS\system32\svchost.exe[2276] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00AE2570 .text C:\WINDOWS\system32\svchost.exe[2276] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00AE1000 .text C:\WINDOWS\system32\svchost.exe[2276] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00AE10A0 .text C:\WINDOWS\system32\svchost.exe[2276] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00AE2510 .text C:\WINDOWS\system32\svchost.exe[2276] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00AE1D10 .text C:\WINDOWS\system32\svchost.exe[2276] WS2_32.dll!send 71A54C27 5 Bytes JMP 00AE7250 .text C:\WINDOWS\system32\svchost.exe[2276] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 00AE20A0 .text C:\WINDOWS\system32\svchost.exe[2276] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 00AE23A0 .text C:\WINDOWS\system32\svchost.exe[2276] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00AE2160 .text C:\WINDOWS\system32\mspaint.exe[2316] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01436390 .text C:\WINDOWS\system32\mspaint.exe[2316] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01436640 .text C:\WINDOWS\system32\mspaint.exe[2316] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 014353D0 .text C:\WINDOWS\system32\mspaint.exe[2316] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01435300 .text C:\WINDOWS\system32\mspaint.exe[2316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014311C0 .text C:\WINDOWS\system32\mspaint.exe[2316] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01431290 .text C:\WINDOWS\system32\mspaint.exe[2316] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01432570 .text C:\WINDOWS\system32\mspaint.exe[2316] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01431000 .text C:\WINDOWS\system32\mspaint.exe[2316] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 014310A0 .text C:\WINDOWS\system32\mspaint.exe[2316] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01432510 .text C:\WINDOWS\system32\mspaint.exe[2316] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01431D10 .text C:\WINDOWS\system32\mspaint.exe[2316] WS2_32.dll!send 71A54C27 5 Bytes JMP 01437250 .text C:\WINDOWS\system32\mspaint.exe[2316] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 014320A0 .text C:\WINDOWS\system32\mspaint.exe[2316] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 014323A0 .text C:\WINDOWS\system32\mspaint.exe[2316] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 01432160 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 010A6390 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 010A6640 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 010A53D0 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 010A5300 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010A11C0 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 010A1290 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 010A2570 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 010A1000 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 010A10A0 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 010A2510 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 010A1D10 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] WS2_32.dll!send 71A54C27 5 Bytes JMP 010A7250 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 010A20A0 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 010A23A0 .text C:\WINDOWS\system32\WISPTIS.EXE[2424] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 010A2160 .text C:\WINDOWS\system32\notepad.exe[2452] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01F26390 .text C:\WINDOWS\system32\notepad.exe[2452] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01F26640 .text C:\WINDOWS\system32\notepad.exe[2452] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 01F253D0 .text C:\WINDOWS\system32\notepad.exe[2452] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01F25300 .text C:\WINDOWS\system32\notepad.exe[2452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F211C0 .text C:\WINDOWS\system32\notepad.exe[2452] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01F21290 .text C:\WINDOWS\system32\notepad.exe[2452] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01F22570 .text C:\WINDOWS\system32\notepad.exe[2452] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01F21000 .text C:\WINDOWS\system32\notepad.exe[2452] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 01F210A0 .text C:\WINDOWS\system32\notepad.exe[2452] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01F22510 .text C:\WINDOWS\system32\notepad.exe[2452] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01F21D10 .text C:\WINDOWS\system32\notepad.exe[2452] WS2_32.dll!send 71A54C27 5 Bytes JMP 01F27250 .text C:\WINDOWS\system32\notepad.exe[2452] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 01F220A0 .text C:\WINDOWS\system32\notepad.exe[2452] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 01F223A0 .text C:\WINDOWS\system32\notepad.exe[2452] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 01F22160 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 001620A0 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 001623A0 .text C:\Documents and Settings\User\Pulpit\82yztgwb.exe[2564] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00162160 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 001620A0 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 001623A0 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00162160 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\User\Dane aplikacji\4.exe[2900] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] WININET.dll!HttpSendRequestA 4363CD28 5 Bytes JMP 001620A0 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] WININET.dll!InternetWriteFile 43643625 5 Bytes JMP 001623A0 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] WININET.dll!HttpSendRequestW 43650805 5 Bytes JMP 00162160 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\User\Dane aplikacji\5.exe[3104] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys ---- Processes - GMER 2.1 ---- Library ÄòÛpöÛöÛ (*** hidden *** ) @ [1760] 0x00400000 Library C:\Documents and Settings\User\Dane aplikacji\4.exe (*** hidden *** ) @ C:\Documents and Settings\User\Dane aplikacji\4.exe [2900] 0x00400000 Library C:\Documents and Settings\User\Dane aplikacji\5.exe (*** hidden *** ) @ C:\Documents and Settings\User\Dane aplikacji\5.exe [3104] 0x00400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@DisplayName Support System Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh@Description Zapewnia trzy us?ugi zarz?dzania: Us?ug? bazy danych wykazu, kt?ra potwierdza podpisy plik?w systemu Windows, Us?ug? chronionego magazynu g??wnego, kt?ra dodaje i usuwa certyfikaty zaufanego g??wnego urz?du certyfikacji z tego komputera i Us?ug? kluczy, kt?ra pomaga zarejestrowa? ten komputer dla certyfikat?w. Je?li ta us?uga zostanie zatrzymana, te us?ugi zarz?dzania nie b?d? dzia?a? w?a?ciwie. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\pipialsh\Parameters@ServiceDll C:\WINDOWS\system32\tatki.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon@Taskman C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-15555590\cafef9.exe (Vov})(2013-06-02 15:13:26) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore@Count 1976 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore@Count 540 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore@Count 538 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 24180 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore@Count 538 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@psysnew3 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew3.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@psysjo3 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psyjo3.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@psys3 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psyj3.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Tjpp1 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\mpp1g.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@psysjo32 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psyjo32.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Tjmm71 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\mmdg.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Tjii321 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\fjidg.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Tjpp2 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\mpp2g.exe(2010-08-28 18:24:58) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Fgfk C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-8763\lsq.exe (Privacy Assist/GPA)(2011-03-20 14:32:48) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Fnfx C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-6883\dfe.exe(2011-03-20 14:32:48) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Fvbk C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-8333\lsvb.exe(2011-03-20 14:32:48) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@games C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1451\games.exe (Privacy Assist/GPA)(2011-03-20 14:32:49) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@jkqq C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-9143\jikd.exe (Privacy Assist/GPA)(2011-03-20 14:32:49) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@sdjwe C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1343\jwjqa.exe(2011-03-20 14:32:49) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ju7bd C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-2734\ju7bd.exe (Privacy Assist/GPA)(2011-03-20 14:32:49) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@jaqq C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-9043\jwkd.exe (Privacy Assist/GPA)(2011-03-20 14:32:49) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Tnaww C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe(2011-04-14 21:19:45) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Teswf C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1457\system.exe(2011-06-22 22:21:17) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@ca40229dd C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-15555590\cafef9.exe (Vov})(2013-06-02 15:13:26) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@proxzy0229 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-13259\proxzy129.exe(2013-06-02 15:13:31) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Igcecm C:\Documents and Settings\User\Dane aplikacji\Microsoft\Igcecm.exe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@t4q C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-46689\24naq.exe (KKMM/ACCE)(2013-06-18 04:37:37) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@proxzy025 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-17255\proxzy15.exe(2013-06-24 20:52:53) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@proxzy024 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-17254\proxzy14.exe(2013-06-24 20:52:55) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@proxzy023 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-17253\proxzy13.exe(2013-06-24 20:52:57) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@proxzy022 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-17251\proxzy12.exe(2013-06-24 20:52:59) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@2gbs29dd C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-95590\c2gbsf9.exe(2013-06-24 20:53:01) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@p4440229 C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-15559\p444y129.exe(2013-06-24 20:53:03) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Wgceca C:\Documents and Settings\User\Dane aplikacji\Microsoft\Wgceca.exe Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\DOCUME~1\User\USTAWI~1\Temp\install_flashplayer11x32_mssd_aaa_aih.bat install_flashplayer11x32_mssd_aaa_aih Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\User\Pulpit\OTL.exe OTL Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@@shell32.dll,-21782 Programy Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@@C:\WINDOWS\System32\setupapi.dll,-2001 Wst?pnie skompilowane informacje Instalatora Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\User\Pulpit\82yztgwb.exe 82yztgwb ---- Files - GMER 2.1 ---- File C:\Documents and Settings\User\Dane aplikacji\Microsoft\Igcecm.exe 137216 bytes executable File C:\Documents and Settings\User\Dane aplikacji\Microsoft\Wgceca.exe 164865 bytes executable File C:\Documents and Settings\User\Ustawienia lokalne\Temporary Internet Files\Content.IE5\3FO9DK87\feed[1].htm 0 bytes ---- EOF - GMER 2.1 ----