GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-14 20:49:17 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05 74,53GB Running: zc4h2uwf.exe; Driver: C:\DOCUME~1\Zosia\USTAWI~1\Temp\pwpiaaow.sys ---- System - GMER 2.1 ---- SSDT sptd.sys ZwCreateKey [0xF74470B0] SSDT sptd.sys ZwEnumerateKey [0xF744BD1C] SSDT sptd.sys ZwEnumerateValueKey [0xF744C0BC] SSDT sptd.sys ZwOpenKey [0xF7447090] SSDT sptd.sys ZwQueryKey [0xF744C194] SSDT sptd.sys ZwQueryValueKey [0xF744C014] SSDT sptd.sys ZwSetValueKey [0xF744C226] ---- Kernel code sections - GMER 2.1 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? C:\WINDOWS\System32\Drivers\SPTDDRV1.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6E08000, 0x1C5D38, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00C16390 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00C16640 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00C153D0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C15300 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C111C0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C11290 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00C12570 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00C11000 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00C110A0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00C12510 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00C120A0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00C123A0 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00C12160 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00C11D10 .text C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIHJE.EXE[256] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C17250 .text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01D76390 .text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01D76640 .text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 01D753D0 .text C:\WINDOWS\Explorer.EXE[324] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01D75300 .text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D711C0 .text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01D71290 .text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01D72570 .text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01D71000 .text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 01D710A0 .text C:\WINDOWS\Explorer.EXE[324] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01D72510 .text C:\WINDOWS\Explorer.EXE[324] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 01D720A0 .text C:\WINDOWS\Explorer.EXE[324] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 01D723A0 .text C:\WINDOWS\Explorer.EXE[324] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01D72160 .text C:\WINDOWS\Explorer.EXE[324] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01D71D10 .text C:\WINDOWS\Explorer.EXE[324] WS2_32.dll!send 71A54C27 5 Bytes JMP 01D77250 .text C:\WINDOWS\System32\svchost.exe[424] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00C16390 .text C:\WINDOWS\System32\svchost.exe[424] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00C16640 .text C:\WINDOWS\System32\svchost.exe[424] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00C153D0 .text C:\WINDOWS\System32\svchost.exe[424] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C15300 .text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C111C0 .text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C11290 .text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00C12570 .text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00C11000 .text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00C110A0 .text C:\WINDOWS\System32\svchost.exe[424] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00C12510 .text C:\WINDOWS\System32\svchost.exe[424] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00C11D10 .text C:\WINDOWS\System32\svchost.exe[424] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C17250 .text C:\WINDOWS\System32\svchost.exe[424] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00C120A0 .text C:\WINDOWS\System32\svchost.exe[424] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00C123A0 .text C:\WINDOWS\System32\svchost.exe[424] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00C12160 .text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01196390 .text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01196640 .text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 011953D0 .text C:\WINDOWS\system32\csrss.exe[540] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01195300 .text C:\WINDOWS\system32\csrss.exe[540] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 011911C0 .text C:\WINDOWS\system32\csrss.exe[540] KERNEL32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01191290 .text C:\WINDOWS\system32\csrss.exe[540] KERNEL32.dll!MoveFileW 7C821249 5 Bytes JMP 01192570 .text C:\WINDOWS\system32\csrss.exe[540] KERNEL32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01191000 .text C:\WINDOWS\system32\csrss.exe[540] KERNEL32.dll!CopyFileW 7C82F863 5 Bytes JMP 011910A0 .text C:\WINDOWS\system32\csrss.exe[540] KERNEL32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01192510 .text C:\WINDOWS\system32\csrss.exe[540] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01191D10 .text C:\WINDOWS\system32\csrss.exe[540] WS2_32.dll!send 71A54C27 5 Bytes JMP 01197250 .text C:\WINDOWS\system32\csrss.exe[540] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 011920A0 .text C:\WINDOWS\system32\csrss.exe[540] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 011923A0 .text C:\WINDOWS\system32\csrss.exe[540] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01192160 .text C:\WINDOWS\system32\winlogon.exe[576] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 018F6390 .text C:\WINDOWS\system32\winlogon.exe[576] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 018F6640 .text C:\WINDOWS\system32\winlogon.exe[576] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 018F53D0 .text C:\WINDOWS\system32\winlogon.exe[576] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 018F5300 .text C:\WINDOWS\system32\winlogon.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 018F11C0 .text C:\WINDOWS\system32\winlogon.exe[576] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 018F1290 .text C:\WINDOWS\system32\winlogon.exe[576] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 018F2570 .text C:\WINDOWS\system32\winlogon.exe[576] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 018F1000 .text C:\WINDOWS\system32\winlogon.exe[576] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 018F10A0 .text C:\WINDOWS\system32\winlogon.exe[576] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 018F2510 .text C:\WINDOWS\system32\winlogon.exe[576] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 018F1D10 .text C:\WINDOWS\system32\winlogon.exe[576] WS2_32.dll!send 71A54C27 5 Bytes JMP 018F7250 .text C:\WINDOWS\system32\winlogon.exe[576] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 018F20A0 .text C:\WINDOWS\system32\winlogon.exe[576] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 018F23A0 .text C:\WINDOWS\system32\winlogon.exe[576] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 018F2160 .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00CF6390 .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00CF6640 .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00CF53D0 .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00CF5300 .text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CF11C0 .text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CF1290 .text C:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00CF2570 .text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00CF1000 .text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00CF10A0 .text C:\WINDOWS\system32\services.exe[628] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00CF2510 .text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00CF1D10 .text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!send 71A54C27 5 Bytes JMP 00CF7250 .text C:\WINDOWS\system32\services.exe[628] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00CF20A0 .text C:\WINDOWS\system32\services.exe[628] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00CF23A0 .text C:\WINDOWS\system32\services.exe[628] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00CF2160 .text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00F76390 .text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00F76640 .text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00F753D0 .text C:\WINDOWS\System32\svchost.exe[632] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00F75300 .text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F711C0 .text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F71290 .text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00F72570 .text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00F71000 .text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00F710A0 .text C:\WINDOWS\System32\svchost.exe[632] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00F72510 .text C:\WINDOWS\System32\svchost.exe[632] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00F71D10 .text C:\WINDOWS\System32\svchost.exe[632] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F77250 .text C:\WINDOWS\System32\svchost.exe[632] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00F720A0 .text C:\WINDOWS\System32\svchost.exe[632] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00F723A0 .text C:\WINDOWS\System32\svchost.exe[632] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00F72160 .text C:\WINDOWS\system32\Ati2evxx.exe[800] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E16390 .text C:\WINDOWS\system32\Ati2evxx.exe[800] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E16640 .text C:\WINDOWS\system32\Ati2evxx.exe[800] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E153D0 .text C:\WINDOWS\system32\Ati2evxx.exe[800] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E15300 .text C:\WINDOWS\system32\Ati2evxx.exe[800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E111C0 .text C:\WINDOWS\system32\Ati2evxx.exe[800] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E11290 .text C:\WINDOWS\system32\Ati2evxx.exe[800] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E12570 .text C:\WINDOWS\system32\Ati2evxx.exe[800] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E11000 .text C:\WINDOWS\system32\Ati2evxx.exe[800] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E110A0 .text C:\WINDOWS\system32\Ati2evxx.exe[800] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E12510 .text C:\WINDOWS\system32\Ati2evxx.exe[800] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E11D10 .text C:\WINDOWS\system32\Ati2evxx.exe[800] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E17250 .text C:\WINDOWS\system32\Ati2evxx.exe[800] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00E120A0 .text C:\WINDOWS\system32\Ati2evxx.exe[800] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00E123A0 .text C:\WINDOWS\system32\Ati2evxx.exe[800] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00E12160 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00FA6390 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00FA6640 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00FA53D0 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00FA5300 .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FA11C0 .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FA1290 .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00FA2570 .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00FA1000 .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00FA10A0 .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00FA2510 .text C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00FA1D10 .text C:\WINDOWS\system32\svchost.exe[812] WS2_32.dll!send 71A54C27 5 Bytes JMP 00FA7250 .text C:\WINDOWS\system32\svchost.exe[812] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00FA20A0 .text C:\WINDOWS\system32\svchost.exe[812] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00FA23A0 .text C:\WINDOWS\system32\svchost.exe[812] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00FA2160 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00C56390 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00C56640 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00C553D0 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C55300 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C511C0 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C51290 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00C52570 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00C51000 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00C510A0 .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00C52510 .text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00C51D10 .text C:\WINDOWS\system32\svchost.exe[892] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C57250 .text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00C520A0 .text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00C523A0 .text C:\WINDOWS\system32\svchost.exe[892] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00C52160 .text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 03BD6390 .text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 03BD6640 .text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 03BD53D0 .text C:\WINDOWS\System32\svchost.exe[956] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 03BD5300 .text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03BD11C0 .text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03BD1290 .text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 03BD2570 .text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 03BD1000 .text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 03BD10A0 .text C:\WINDOWS\System32\svchost.exe[956] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 03BD2510 .text C:\WINDOWS\System32\svchost.exe[956] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 03BD1D10 .text C:\WINDOWS\System32\svchost.exe[956] WS2_32.dll!send 71A54C27 5 Bytes JMP 03BD7250 .text C:\WINDOWS\System32\svchost.exe[956] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 03BD20A0 .text C:\WINDOWS\System32\svchost.exe[956] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 03BD23A0 .text C:\WINDOWS\System32\svchost.exe[956] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 03BD2160 .text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 007A6390 .text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 007A6640 .text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 007A53D0 .text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 007A5300 .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007A11C0 .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007A1290 .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 007A2570 .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 007A1000 .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 007A10A0 .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 007A2510 .text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 007A1D10 .text C:\WINDOWS\System32\svchost.exe[1016] WS2_32.dll!send 71A54C27 5 Bytes JMP 007A7250 .text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 007A20A0 .text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 007A23A0 .text C:\WINDOWS\System32\svchost.exe[1016] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 007A2160 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01266390 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01266640 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 012653D0 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01265300 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012611C0 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01261290 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01262570 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01261000 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 012610A0 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01262510 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01261D10 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] WS2_32.dll!send 71A54C27 5 Bytes JMP 01267250 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 012620A0 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 012623A0 .text C:\WINDOWS\system32\Ati2evxx.exe[1128] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01262160 .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 010C6390 .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 010C6640 .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 010C53D0 .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 010C5300 .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 3 Bytes JMP 010C11C0 .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileA + 4 7C801A2C 1 Byte [84] .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileW 7C8107F0 3 Bytes JMP 010C1290 .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CreateFileW + 4 7C8107F4 1 Byte [84] .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 010C2570 .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 010C1000 .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 010C10A0 .text C:\WINDOWS\System32\svchost.exe[1136] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 010C2510 .text C:\WINDOWS\System32\svchost.exe[1136] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 010C1D10 .text C:\WINDOWS\System32\svchost.exe[1136] WS2_32.dll!send 71A54C27 5 Bytes JMP 010C7250 .text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 010C20A0 .text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 010C23A0 .text C:\WINDOWS\System32\svchost.exe[1136] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 010C2160 .text C:\WINDOWS\system32\spoolsv.exe[1300] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00FB6390 .text C:\WINDOWS\system32\spoolsv.exe[1300] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00FB6640 .text C:\WINDOWS\system32\spoolsv.exe[1300] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00FB53D0 .text C:\WINDOWS\system32\spoolsv.exe[1300] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00FB5300 .text C:\WINDOWS\system32\spoolsv.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB11C0 .text C:\WINDOWS\system32\spoolsv.exe[1300] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FB1290 .text C:\WINDOWS\system32\spoolsv.exe[1300] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00FB2570 .text C:\WINDOWS\system32\spoolsv.exe[1300] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00FB1000 .text C:\WINDOWS\system32\spoolsv.exe[1300] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00FB10A0 .text C:\WINDOWS\system32\spoolsv.exe[1300] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00FB2510 .text C:\WINDOWS\system32\spoolsv.exe[1300] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00FB1D10 .text C:\WINDOWS\system32\spoolsv.exe[1300] WS2_32.dll!send 71A54C27 5 Bytes JMP 00FB7250 .text C:\WINDOWS\system32\spoolsv.exe[1300] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00FB20A0 .text C:\WINDOWS\system32\spoolsv.exe[1300] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00FB23A0 .text C:\WINDOWS\system32\spoolsv.exe[1300] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00FB2160 .text C:\WINDOWS\System32\alg.exe[1412] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B06390 .text C:\WINDOWS\System32\alg.exe[1412] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B06640 .text C:\WINDOWS\System32\alg.exe[1412] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B053D0 .text C:\WINDOWS\System32\alg.exe[1412] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B05300 .text C:\WINDOWS\System32\alg.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B011C0 .text C:\WINDOWS\System32\alg.exe[1412] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B01290 .text C:\WINDOWS\System32\alg.exe[1412] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B02570 .text C:\WINDOWS\System32\alg.exe[1412] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B01000 .text C:\WINDOWS\System32\alg.exe[1412] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B010A0 .text C:\WINDOWS\System32\alg.exe[1412] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B02510 .text C:\WINDOWS\System32\alg.exe[1412] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B01D10 .text C:\WINDOWS\System32\alg.exe[1412] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B07250 .text C:\WINDOWS\System32\alg.exe[1412] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B020A0 .text C:\WINDOWS\System32\alg.exe[1412] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B023A0 .text C:\WINDOWS\System32\alg.exe[1412] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B02160 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02106390 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02106640 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 021053D0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02105300 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 021011C0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02101290 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02102570 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02101000 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 021010A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02102510 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02101D10 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] WS2_32.dll!send 71A54C27 5 Bytes JMP 02107250 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 021020A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 021023A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1780] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02102160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009F6390 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009F6640 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009F53D0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009F5300 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F11C0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009F1290 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 009F2570 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 009F1000 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 009F10A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 009F2510 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 009F20A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 009F23A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 009F2160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 009F1D10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1848] WS2_32.dll!send 71A54C27 5 Bytes JMP 009F7250 .text C:\WINDOWS\system32\ctfmon.exe[1892] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00A46390 .text C:\WINDOWS\system32\ctfmon.exe[1892] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00A46640 .text C:\WINDOWS\system32\ctfmon.exe[1892] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00A453D0 .text C:\WINDOWS\system32\ctfmon.exe[1892] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A45300 .text C:\WINDOWS\system32\ctfmon.exe[1892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A411C0 .text C:\WINDOWS\system32\ctfmon.exe[1892] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A41290 .text C:\WINDOWS\system32\ctfmon.exe[1892] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00A42570 .text C:\WINDOWS\system32\ctfmon.exe[1892] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00A41000 .text C:\WINDOWS\system32\ctfmon.exe[1892] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00A410A0 .text C:\WINDOWS\system32\ctfmon.exe[1892] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00A42510 .text C:\WINDOWS\system32\ctfmon.exe[1892] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00A41D10 .text C:\WINDOWS\system32\ctfmon.exe[1892] WS2_32.dll!send 71A54C27 5 Bytes JMP 00A47250 .text C:\WINDOWS\system32\ctfmon.exe[1892] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00A420A0 .text C:\WINDOWS\system32\ctfmon.exe[1892] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00A423A0 .text C:\WINDOWS\system32\ctfmon.exe[1892] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00A42160 .text D:\mozilla\firefox.exe[2620] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text D:\mozilla\firefox.exe[2620] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text D:\mozilla\firefox.exe[2620] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text D:\mozilla\firefox.exe[2620] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 017EDFF0 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[2620] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01F79796 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[2620] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01F79773 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[2620] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 017F5F1A D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[2620] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01F796F4 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[2620] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text D:\mozilla\firefox.exe[2620] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text D:\mozilla\firefox.exe[2620] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text D:\mozilla\firefox.exe[2620] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text D:\mozilla\firefox.exe[2620] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00066390 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00066640 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000653D0 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00065300 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000611C0 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00061290 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00062570 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00061000 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 000610A0 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00062510 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 000620A0 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 000623A0 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00062160 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00061D10 .text C:\Documents and Settings\Zosia\Pulpit\FRST.exe[3304] WS2_32.dll!send 71A54C27 5 Bytes JMP 00067250 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Documents and Settings\Zosia\Pulpit\OTL.exe[3532] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3828] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 82F6D1D8 Device \Driver\usbohci \Device\USBPDO-0 82F078F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 82FD51D8 Device \Driver\dmio \Device\DmControl\DmConfig 82FD51D8 Device \Driver\dmio \Device\DmControl\DmPnP 82FD51D8 Device \Driver\dmio \Device\DmControl\DmInfo 82FD51D8 Device \Driver\usbohci \Device\USBPDO-1 82F078F8 Device \Driver\usbehci \Device\USBPDO-2 82E2D1D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{02084701-7957-48C3-BB20-5D99C22B9CDD} 82EEA660 Device \Driver\Ftdisk \Device\HarddiskVolume2 82F6F1D8 Device \Driver\Cdrom \Device\CdRom0 82E2E1D8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F739AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F739AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F739AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e [F739AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 82EEA660 Device \Driver\NetBT \Device\NetbiosSmb 82EEA660 Device \Driver\usbohci \Device\USBFDO-0 82F078F8 Device \Driver\usbohci \Device\USBFDO-1 82F078F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82A1D990 Device \Driver\usbehci \Device\USBFDO-2 82E2D1D8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82A1D990 Device \Driver\Ftdisk \Device\FtControl 82F6F1D8 Device \FileSystem\Cdfs \Cdfs 82C54420 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x82f9073c]<< 82f9073c Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f45ab8] 82f45ab8 Trace 3 CLASSPNP.SYS[f756ffd7] -> nt!IofCallDriver -> \Device\0000005c[0x82f3cf18] 82f3cf18 Trace 5 ACPI.sys[f7405620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82ee3940] 82ee3940 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1445892982 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -425509669 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x40 0xA5 0x5A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0xF7 0x87 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8E 0x40 0x18 0xBE ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Xyqmqj C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe Xyqmqj Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@@C:\WINDOWS\system32\SHELL32.dll,-22912 Pokazuje skr?ty do witryn sieci Web, komputer?w sieciowych i witryn FTP. ---- Files - GMER 2.1 ---- File C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe 131732 bytes executable ---- EOF - GMER 2.1 ----