GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2013-09-18 11:29:06 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.LV01 Running: yg8iu4mj.exe; Driver: C:\DOCUME~1\jan\USTAWI~1\Temp\fxtdipod.sys ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 015F6390 .text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 015F6640 .text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 015F53D0 .text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 015F5300 .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 015F11C0 .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!CreateFileW 7C810800 5 Bytes JMP 015F1290 .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!MoveFileW 7C821261 5 Bytes JMP 015F2570 .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!CopyFileA 7C8286EE 5 Bytes JMP 015F1000 .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!CopyFileW 7C82F87B 5 Bytes JMP 015F10A0 .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!MoveFileA 7C835EBF 5 Bytes JMP 015F2510 .text C:\WINDOWS\system32\csrss.exe[652] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 015F1D10 .text C:\WINDOWS\system32\csrss.exe[652] WS2_32.dll!send 71A54C27 5 Bytes JMP 015F7250 .text C:\WINDOWS\system32\csrss.exe[652] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 015F20A0 .text C:\WINDOWS\system32\csrss.exe[652] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 015F23A0 .text C:\WINDOWS\system32\csrss.exe[652] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 015F2160 .text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01946390 .text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01946640 .text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 019453D0 .text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01945300 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 019411C0 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01941290 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01942570 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01941000 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 019410A0 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01942510 .text C:\WINDOWS\system32\winlogon.exe[676] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01941D10 .text C:\WINDOWS\system32\winlogon.exe[676] WS2_32.dll!send 71A54C27 5 Bytes JMP 01947250 .text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 019420A0 .text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 019423A0 .text C:\WINDOWS\system32\winlogon.exe[676] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 01942160 .text C:\WINDOWS\system32\services.exe[720] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D66390 .text C:\WINDOWS\system32\services.exe[720] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D66640 .text C:\WINDOWS\system32\services.exe[720] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D653D0 .text C:\WINDOWS\system32\services.exe[720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D65300 .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D611C0 .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D61290 .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D62570 .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D61000 .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D610A0 .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D62510 .text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00D61D10 .text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D67250 .text C:\WINDOWS\system32\services.exe[720] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00D620A0 .text C:\WINDOWS\system32\services.exe[720] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00D623A0 .text C:\WINDOWS\system32\services.exe[720] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00D62160 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02516390 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02516640 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 025153D0 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02515300 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025111C0 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02511290 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02512570 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02511000 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 025110A0 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02512510 .text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02511D10 .text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!send 71A54C27 5 Bytes JMP 02517250 .text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 025120A0 .text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 025123A0 .text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 02512160 .text C:\WINDOWS\system32\svchost.exe[972] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00DA6390 .text C:\WINDOWS\system32\svchost.exe[972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00DA6640 .text C:\WINDOWS\system32\svchost.exe[972] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00DA53D0 .text C:\WINDOWS\system32\svchost.exe[972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00DA5300 .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DA11C0 .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DA1290 .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00DA2570 .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00DA1000 .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00DA10A0 .text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00DA2510 .text C:\WINDOWS\system32\svchost.exe[972] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00DA1D10 .text C:\WINDOWS\system32\svchost.exe[972] WS2_32.dll!send 71A54C27 5 Bytes JMP 00DA7250 .text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00DA20A0 .text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00DA23A0 .text C:\WINDOWS\system32\svchost.exe[972] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00DA2160 .text E:\do laptopa\yg8iu4mj.exe[1012] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00166390 .text E:\do laptopa\yg8iu4mj.exe[1012] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00166640 .text E:\do laptopa\yg8iu4mj.exe[1012] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 001653D0 .text E:\do laptopa\yg8iu4mj.exe[1012] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00165300 .text E:\do laptopa\yg8iu4mj.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text E:\do laptopa\yg8iu4mj.exe[1012] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00161290 .text E:\do laptopa\yg8iu4mj.exe[1012] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00162570 .text E:\do laptopa\yg8iu4mj.exe[1012] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00161000 .text E:\do laptopa\yg8iu4mj.exe[1012] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 001610A0 .text E:\do laptopa\yg8iu4mj.exe[1012] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00162510 .text E:\do laptopa\yg8iu4mj.exe[1012] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text E:\do laptopa\yg8iu4mj.exe[1012] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text E:\do laptopa\yg8iu4mj.exe[1012] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 001620A0 .text E:\do laptopa\yg8iu4mj.exe[1012] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 001623A0 .text E:\do laptopa\yg8iu4mj.exe[1012] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00162160 .text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02956390 .text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02956640 .text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 029553D0 .text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 02955300 .text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 029511C0 .text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02951290 .text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02952570 .text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02951000 .text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 029510A0 .text C:\WINDOWS\system32\svchost.exe[1024] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02952510 .text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02951D10 .text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!send 71A54C27 5 Bytes JMP 02957250 .text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 029520A0 .text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 029523A0 .text C:\WINDOWS\system32\svchost.exe[1024] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 02952160 .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtEnumerateValueKey 7C90D2EE 3 Bytes JMP 00916390 .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtEnumerateValueKey + 4 7C90D2F2 1 Byte [84] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtQueryDirectoryFile 7C90D76E 3 Bytes JMP 00916640 .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtQueryDirectoryFile + 4 7C90D772 1 Byte [84] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtResumeThread 7C90DB3E 3 Bytes JMP 009153D0 .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtResumeThread + 4 7C90DB42 1 Byte [84] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00915300 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009111C0 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00911290 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00912570 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00911000 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 009110A0 .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00912510 .text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00911D10 .text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!send 71A54C27 5 Bytes JMP 00917250 .text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 009120A0 .text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 009123A0 .text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00912160 .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00D76390 .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00D76640 .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00D753D0 .text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00D75300 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D711C0 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D71290 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00D72570 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00D71000 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00D710A0 .text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00D72510 .text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00D71D10 .text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D77250 .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00D720A0 .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00D723A0 .text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00D72160 .text C:\WINDOWS\system32\cmd.exe[1284] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A06390 .text C:\WINDOWS\system32\cmd.exe[1284] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A06640 .text C:\WINDOWS\system32\cmd.exe[1284] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00A053D0 .text C:\WINDOWS\system32\cmd.exe[1284] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00A05300 .text C:\WINDOWS\system32\cmd.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A011C0 .text C:\WINDOWS\system32\cmd.exe[1284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A01290 .text C:\WINDOWS\system32\cmd.exe[1284] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00A02570 .text C:\WINDOWS\system32\cmd.exe[1284] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00A01000 .text C:\WINDOWS\system32\cmd.exe[1284] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00A010A0 .text C:\WINDOWS\system32\cmd.exe[1284] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00A02510 .text C:\WINDOWS\system32\cmd.exe[1284] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00A01D10 .text C:\WINDOWS\system32\cmd.exe[1284] WS2_32.dll!send 71A54C27 5 Bytes JMP 00A07250 .text C:\WINDOWS\system32\cmd.exe[1284] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00A020A0 .text C:\WINDOWS\system32\cmd.exe[1284] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00A023A0 .text C:\WINDOWS\system32\cmd.exe[1284] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00A02160 .text C:\WINDOWS\system32\spoolsv.exe[1312] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00E26390 .text C:\WINDOWS\system32\spoolsv.exe[1312] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E26640 .text C:\WINDOWS\system32\spoolsv.exe[1312] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00E253D0 .text C:\WINDOWS\system32\spoolsv.exe[1312] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00E25300 .text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E211C0 .text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E21290 .text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00E22570 .text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00E21000 .text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00E210A0 .text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00E22510 .text C:\WINDOWS\system32\spoolsv.exe[1312] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E21D10 .text C:\WINDOWS\system32\spoolsv.exe[1312] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E27250 .text C:\WINDOWS\system32\spoolsv.exe[1312] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00E220A0 .text C:\WINDOWS\system32\spoolsv.exe[1312] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00E223A0 .text C:\WINDOWS\system32\spoolsv.exe[1312] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00E22160 .text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00BF6390 .text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00BF6640 .text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00BF53D0 .text C:\WINDOWS\system32\svchost.exe[1392] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00BF5300 .text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF11C0 .text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF1290 .text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00BF2570 .text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00BF1000 .text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00BF10A0 .text C:\WINDOWS\system32\svchost.exe[1392] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00BF2510 .text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00BF20A0 .text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00BF23A0 .text C:\WINDOWS\system32\svchost.exe[1392] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00BF2160 .text C:\WINDOWS\system32\svchost.exe[1392] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00BF1D10 .text C:\WINDOWS\system32\svchost.exe[1392] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BF7250 .text C:\WINDOWS\explorer.exe[1596] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 016E6390 .text C:\WINDOWS\explorer.exe[1596] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 016E6640 .text C:\WINDOWS\explorer.exe[1596] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 016E53D0 .text C:\WINDOWS\explorer.exe[1596] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 016E5300 .text C:\WINDOWS\explorer.exe[1596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 016E11C0 .text C:\WINDOWS\explorer.exe[1596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 016E1290 .text C:\WINDOWS\explorer.exe[1596] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 016E2570 .text C:\WINDOWS\explorer.exe[1596] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 016E1000 .text C:\WINDOWS\explorer.exe[1596] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 016E10A0 .text C:\WINDOWS\explorer.exe[1596] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 016E2510 .text C:\WINDOWS\explorer.exe[1596] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 016E20A0 .text C:\WINDOWS\explorer.exe[1596] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 016E23A0 .text C:\WINDOWS\explorer.exe[1596] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 016E2160 .text C:\WINDOWS\explorer.exe[1596] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 016E1D10 .text C:\WINDOWS\explorer.exe[1596] WS2_32.dll!send 71A54C27 5 Bytes JMP 016E7250 .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 02926390 .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 02926640 .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 029253D0 .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!LdrLoadDll 7C91632D 3 Bytes JMP 02925300 .text C:\WINDOWS\Explorer.EXE[1644] ntdll.dll!LdrLoadDll + 4 7C916331 1 Byte [86] .text C:\WINDOWS\Explorer.EXE[1644] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 029211C0 .text C:\WINDOWS\Explorer.EXE[1644] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02921290 .text C:\WINDOWS\Explorer.EXE[1644] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 02922570 .text C:\WINDOWS\Explorer.EXE[1644] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 02921000 .text C:\WINDOWS\Explorer.EXE[1644] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 029210A0 .text C:\WINDOWS\Explorer.EXE[1644] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 02922510 .text C:\WINDOWS\Explorer.EXE[1644] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 029220A0 .text C:\WINDOWS\Explorer.EXE[1644] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 029223A0 .text C:\WINDOWS\Explorer.EXE[1644] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 02922160 .text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02921D10 .text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!send 71A54C27 5 Bytes JMP 02927250 .text C:\WINDOWS\system32\hkcmd.exe[1840] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00986390 .text C:\WINDOWS\system32\hkcmd.exe[1840] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00986640 .text C:\WINDOWS\system32\hkcmd.exe[1840] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 009853D0 .text C:\WINDOWS\system32\hkcmd.exe[1840] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00985300 .text C:\WINDOWS\system32\hkcmd.exe[1840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009811C0 .text C:\WINDOWS\system32\hkcmd.exe[1840] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00981290 .text C:\WINDOWS\system32\hkcmd.exe[1840] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00982570 .text C:\WINDOWS\system32\hkcmd.exe[1840] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00981000 .text C:\WINDOWS\system32\hkcmd.exe[1840] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 009810A0 .text C:\WINDOWS\system32\hkcmd.exe[1840] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00982510 .text C:\WINDOWS\system32\hkcmd.exe[1840] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00981D10 .text C:\WINDOWS\system32\hkcmd.exe[1840] WS2_32.dll!send 71A54C27 5 Bytes JMP 00987250 .text C:\WINDOWS\system32\hkcmd.exe[1840] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 009820A0 .text C:\WINDOWS\system32\hkcmd.exe[1840] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 009823A0 .text C:\WINDOWS\system32\hkcmd.exe[1840] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00982160 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00E76390 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00E76640 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00E753D0 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00E75300 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E711C0 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E71290 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00E72570 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00E71000 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00E710A0 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00E72510 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E71D10 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E77250 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00E720A0 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00E723A0 .text C:\WINDOWS\system32\igfxsrvc.exe[1852] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00E72160 .text C:\WINDOWS\system32\igfxpers.exe[1888] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 01156390 .text C:\WINDOWS\system32\igfxpers.exe[1888] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01156640 .text C:\WINDOWS\system32\igfxpers.exe[1888] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 011553D0 .text C:\WINDOWS\system32\igfxpers.exe[1888] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01155300 .text C:\WINDOWS\system32\igfxpers.exe[1888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011511C0 .text C:\WINDOWS\system32\igfxpers.exe[1888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01151290 .text C:\WINDOWS\system32\igfxpers.exe[1888] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 01152570 .text C:\WINDOWS\system32\igfxpers.exe[1888] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01151000 .text C:\WINDOWS\system32\igfxpers.exe[1888] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 011510A0 .text C:\WINDOWS\system32\igfxpers.exe[1888] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01152510 .text C:\WINDOWS\system32\igfxpers.exe[1888] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01151D10 .text C:\WINDOWS\system32\igfxpers.exe[1888] WS2_32.dll!send 71A54C27 5 Bytes JMP 01157250 .text C:\WINDOWS\system32\igfxpers.exe[1888] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 011520A0 .text C:\WINDOWS\system32\igfxpers.exe[1888] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 011523A0 .text C:\WINDOWS\system32\igfxpers.exe[1888] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 01152160 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00F46390 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00F46640 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00F453D0 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00F45300 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F411C0 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F41290 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00F42570 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00F41000 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00F410A0 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00F42510 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00F41D10 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F47250 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00F420A0 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00F423A0 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1912] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00F42160 .text C:\WINDOWS\system32\wscntfy.exe[1952] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00B06390 .text C:\WINDOWS\system32\wscntfy.exe[1952] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00B06640 .text C:\WINDOWS\system32\wscntfy.exe[1952] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00B053D0 .text C:\WINDOWS\system32\wscntfy.exe[1952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B05300 .text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B011C0 .text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B01290 .text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00B02570 .text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00B01000 .text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00B010A0 .text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00B02510 .text C:\WINDOWS\system32\wscntfy.exe[1952] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B01D10 .text C:\WINDOWS\system32\wscntfy.exe[1952] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B07250 .text C:\WINDOWS\system32\wscntfy.exe[1952] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00B020A0 .text C:\WINDOWS\system32\wscntfy.exe[1952] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00B023A0 .text C:\WINDOWS\system32\wscntfy.exe[1952] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00B02160 .text C:\Program Files\Messenger\msmsgs.exe[2032] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00F36390 .text C:\Program Files\Messenger\msmsgs.exe[2032] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00F36640 .text C:\Program Files\Messenger\msmsgs.exe[2032] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00F353D0 .text C:\Program Files\Messenger\msmsgs.exe[2032] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00F35300 .text C:\Program Files\Messenger\msmsgs.exe[2032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F311C0 .text C:\Program Files\Messenger\msmsgs.exe[2032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F31290 .text C:\Program Files\Messenger\msmsgs.exe[2032] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 00F32570 .text C:\Program Files\Messenger\msmsgs.exe[2032] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 00F31000 .text C:\Program Files\Messenger\msmsgs.exe[2032] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 00F310A0 .text C:\Program Files\Messenger\msmsgs.exe[2032] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 00F32510 .text C:\Program Files\Messenger\msmsgs.exe[2032] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00F31D10 .text C:\Program Files\Messenger\msmsgs.exe[2032] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F37250 .text C:\Program Files\Messenger\msmsgs.exe[2032] WININET.dll!HttpSendRequestA 771B60C1 5 Bytes JMP 00F320A0 .text C:\Program Files\Messenger\msmsgs.exe[2032] WININET.dll!InternetWriteFile 771E8E17 5 Bytes JMP 00F323A0 .text C:\Program Files\Messenger\msmsgs.exe[2032] WININET.dll!HttpSendRequestW 77203244 5 Bytes JMP 00F32160 ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Hzlklr C:\Documents and Settings\jan\Dane aplikacji\Hzlklr.exe ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\jan\Dane aplikacji\Hzlklr.exe 199680 bytes executable ---- EOF - GMER 1.0.15 ----