GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-15 16:11:31 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05 74,53GB Running: zc4h2uwf.exe; Driver: C:\DOCUME~1\Zosia\USTAWI~1\Temp\pwpiaaow.sys ---- System - GMER 2.1 ---- INT 0x62 ? 82FA4CB8 INT 0x63 ? 82D5CCB8 INT 0x73 ? 82D5CCB8 INT 0x82 ? 82FA4CB8 INT 0x83 ? 82D5CCB8 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF74DFCF2] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xEFF41000, 0x1C5D38, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 000A6390 .text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 000A6640 .text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000A53D0 .text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A5300 .text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0 .text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 000A1290 .text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 000A2570 .text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 000A1000 .text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 000A10A0 .text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 000A2510 .text C:\WINDOWS\System32\svchost.exe[416] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 000A1D10 .text C:\WINDOWS\System32\svchost.exe[416] WS2_32.dll!send 71A54C27 5 Bytes JMP 000A7250 .text C:\WINDOWS\System32\svchost.exe[416] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 000A20A0 .text C:\WINDOWS\System32\svchost.exe[416] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 000A23A0 .text C:\WINDOWS\System32\svchost.exe[416] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 000A2160 .text C:\WINDOWS\System32\alg.exe[460] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B06390 .text C:\WINDOWS\System32\alg.exe[460] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B06640 .text C:\WINDOWS\System32\alg.exe[460] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B053D0 .text C:\WINDOWS\System32\alg.exe[460] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B05300 .text C:\WINDOWS\System32\alg.exe[460] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B011C0 .text C:\WINDOWS\System32\alg.exe[460] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B01290 .text C:\WINDOWS\System32\alg.exe[460] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B02570 .text C:\WINDOWS\System32\alg.exe[460] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B01000 .text C:\WINDOWS\System32\alg.exe[460] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B010A0 .text C:\WINDOWS\System32\alg.exe[460] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B02510 .text C:\WINDOWS\System32\alg.exe[460] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B01D10 .text C:\WINDOWS\System32\alg.exe[460] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B07250 .text C:\WINDOWS\System32\alg.exe[460] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B020A0 .text C:\WINDOWS\System32\alg.exe[460] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B023A0 .text C:\WINDOWS\System32\alg.exe[460] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B02160 .text C:\WINDOWS\system32\csrss.exe[496] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01166390 .text C:\WINDOWS\system32\csrss.exe[496] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01166640 .text C:\WINDOWS\system32\csrss.exe[496] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 011653D0 .text C:\WINDOWS\system32\csrss.exe[496] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01165300 .text C:\WINDOWS\system32\csrss.exe[496] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 011611C0 .text C:\WINDOWS\system32\csrss.exe[496] KERNEL32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01161290 .text C:\WINDOWS\system32\csrss.exe[496] KERNEL32.dll!MoveFileW 7C821249 5 Bytes JMP 01162570 .text C:\WINDOWS\system32\csrss.exe[496] KERNEL32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01161000 .text C:\WINDOWS\system32\csrss.exe[496] KERNEL32.dll!CopyFileW 7C82F863 5 Bytes JMP 011610A0 .text C:\WINDOWS\system32\csrss.exe[496] KERNEL32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01162510 .text C:\WINDOWS\system32\csrss.exe[496] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01161D10 .text C:\WINDOWS\system32\csrss.exe[496] WS2_32.dll!send 71A54C27 5 Bytes JMP 01167250 .text C:\WINDOWS\system32\csrss.exe[496] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 011620A0 .text C:\WINDOWS\system32\csrss.exe[496] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 011623A0 .text C:\WINDOWS\system32\csrss.exe[496] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01162160 .text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01A86390 .text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01A86640 .text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 01A853D0 .text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01A85300 .text C:\WINDOWS\system32\winlogon.exe[532] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A811C0 .text C:\WINDOWS\system32\winlogon.exe[532] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01A81290 .text C:\WINDOWS\system32\winlogon.exe[532] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01A82570 .text C:\WINDOWS\system32\winlogon.exe[532] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01A81000 .text C:\WINDOWS\system32\winlogon.exe[532] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 01A810A0 .text C:\WINDOWS\system32\winlogon.exe[532] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01A82510 .text C:\WINDOWS\system32\winlogon.exe[532] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01A81D10 .text C:\WINDOWS\system32\winlogon.exe[532] WS2_32.dll!send 71A54C27 5 Bytes JMP 01A87250 .text C:\WINDOWS\system32\winlogon.exe[532] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 01A820A0 .text C:\WINDOWS\system32\winlogon.exe[532] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 01A823A0 .text C:\WINDOWS\system32\winlogon.exe[532] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01A82160 .text C:\WINDOWS\system32\services.exe[576] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00FB6390 .text C:\WINDOWS\system32\services.exe[576] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00FB6640 .text C:\WINDOWS\system32\services.exe[576] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00FB53D0 .text C:\WINDOWS\system32\services.exe[576] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00FB5300 .text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB11C0 .text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FB1290 .text C:\WINDOWS\system32\services.exe[576] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00FB2570 .text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00FB1000 .text C:\WINDOWS\system32\services.exe[576] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00FB10A0 .text C:\WINDOWS\system32\services.exe[576] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00FB2510 .text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00FB1D10 .text C:\WINDOWS\system32\services.exe[576] WS2_32.dll!send 71A54C27 5 Bytes JMP 00FB7250 .text C:\WINDOWS\system32\services.exe[576] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00FB20A0 .text C:\WINDOWS\system32\services.exe[576] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00FB23A0 .text C:\WINDOWS\system32\services.exe[576] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00FB2160 .text C:\WINDOWS\system32\Ati2evxx.exe[744] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E16390 .text C:\WINDOWS\system32\Ati2evxx.exe[744] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E16640 .text C:\WINDOWS\system32\Ati2evxx.exe[744] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E153D0 .text C:\WINDOWS\system32\Ati2evxx.exe[744] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E15300 .text C:\WINDOWS\system32\Ati2evxx.exe[744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E111C0 .text C:\WINDOWS\system32\Ati2evxx.exe[744] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E11290 .text C:\WINDOWS\system32\Ati2evxx.exe[744] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E12570 .text C:\WINDOWS\system32\Ati2evxx.exe[744] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E11000 .text C:\WINDOWS\system32\Ati2evxx.exe[744] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E110A0 .text C:\WINDOWS\system32\Ati2evxx.exe[744] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E12510 .text C:\WINDOWS\system32\Ati2evxx.exe[744] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E11D10 .text C:\WINDOWS\system32\Ati2evxx.exe[744] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E17250 .text C:\WINDOWS\system32\Ati2evxx.exe[744] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00E120A0 .text C:\WINDOWS\system32\Ati2evxx.exe[744] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00E123A0 .text C:\WINDOWS\system32\Ati2evxx.exe[744] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00E12160 .text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00F66390 .text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00F66640 .text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00F653D0 .text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00F65300 .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F611C0 .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F61290 .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00F62570 .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00F61000 .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00F610A0 .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00F62510 .text C:\WINDOWS\system32\svchost.exe[756] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00F61D10 .text C:\WINDOWS\system32\svchost.exe[756] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F67250 .text C:\WINDOWS\system32\svchost.exe[756] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00F620A0 .text C:\WINDOWS\system32\svchost.exe[756] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00F623A0 .text C:\WINDOWS\system32\svchost.exe[756] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00F62160 .text C:\WINDOWS\system32\svchost.exe[832] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00C66390 .text C:\WINDOWS\system32\svchost.exe[832] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00C66640 .text C:\WINDOWS\system32\svchost.exe[832] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00C653D0 .text C:\WINDOWS\system32\svchost.exe[832] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C65300 .text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C611C0 .text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C61290 .text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00C62570 .text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00C61000 .text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00C610A0 .text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00C62510 .text C:\WINDOWS\system32\svchost.exe[832] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00C61D10 .text C:\WINDOWS\system32\svchost.exe[832] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C67250 .text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00C620A0 .text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00C623A0 .text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00C62160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009F6390 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009F6640 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009F53D0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009F5300 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F11C0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009F1290 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 009F2570 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 009F1000 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 009F10A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 009F2510 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 009F20A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 009F23A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 009F2160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 009F1D10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[876] WS2_32.dll!send 71A54C27 5 Bytes JMP 009F7250 .text C:\WINDOWS\system32\ctfmon.exe[892] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009E6390 .text C:\WINDOWS\system32\ctfmon.exe[892] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009E6640 .text C:\WINDOWS\system32\ctfmon.exe[892] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009E53D0 .text C:\WINDOWS\system32\ctfmon.exe[892] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009E5300 .text C:\WINDOWS\system32\ctfmon.exe[892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009E11C0 .text C:\WINDOWS\system32\ctfmon.exe[892] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009E1290 .text C:\WINDOWS\system32\ctfmon.exe[892] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 009E2570 .text C:\WINDOWS\system32\ctfmon.exe[892] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 009E1000 .text C:\WINDOWS\system32\ctfmon.exe[892] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 009E10A0 .text C:\WINDOWS\system32\ctfmon.exe[892] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 009E2510 .text C:\WINDOWS\system32\ctfmon.exe[892] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 009E1D10 .text C:\WINDOWS\system32\ctfmon.exe[892] WS2_32.dll!send 71A54C27 5 Bytes JMP 009E7250 .text C:\WINDOWS\system32\ctfmon.exe[892] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 009E20A0 .text C:\WINDOWS\system32\ctfmon.exe[892] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 009E23A0 .text C:\WINDOWS\system32\ctfmon.exe[892] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 009E2160 .text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02F56390 .text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02F56640 .text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 02F553D0 .text C:\WINDOWS\System32\svchost.exe[896] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02F55300 .text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F511C0 .text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02F51290 .text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02F52570 .text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02F51000 .text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 02F510A0 .text C:\WINDOWS\System32\svchost.exe[896] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02F52510 .text C:\WINDOWS\System32\svchost.exe[896] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02F51D10 .text C:\WINDOWS\System32\svchost.exe[896] WS2_32.dll!send 71A54C27 5 Bytes JMP 02F57250 .text C:\WINDOWS\System32\svchost.exe[896] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 02F520A0 .text C:\WINDOWS\System32\svchost.exe[896] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 02F523A0 .text C:\WINDOWS\System32\svchost.exe[896] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02F52160 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009F6390 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009F6640 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009F53D0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009F5300 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F11C0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009F1290 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 009F2570 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 009F1000 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 009F10A0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 009F2510 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 009F1D10 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] WS2_32.dll!send 71A54C27 5 Bytes JMP 009F7250 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 009F20A0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 009F23A0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[972] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 009F2160 .text C:\Program Files\Messenger\msmsgs.exe[992] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00D46390 .text C:\Program Files\Messenger\msmsgs.exe[992] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00D46640 .text C:\Program Files\Messenger\msmsgs.exe[992] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00D453D0 .text C:\Program Files\Messenger\msmsgs.exe[992] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00D45300 .text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D411C0 .text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D41290 .text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00D42570 .text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00D41000 .text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00D410A0 .text C:\Program Files\Messenger\msmsgs.exe[992] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00D42510 .text C:\Program Files\Messenger\msmsgs.exe[992] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00D41D10 .text C:\Program Files\Messenger\msmsgs.exe[992] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D47250 .text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00D420A0 .text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00D423A0 .text C:\Program Files\Messenger\msmsgs.exe[992] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00D42160 .text C:\WINDOWS\system32\Ati2evxx.exe[996] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01266390 .text C:\WINDOWS\system32\Ati2evxx.exe[996] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01266640 .text C:\WINDOWS\system32\Ati2evxx.exe[996] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 012653D0 .text C:\WINDOWS\system32\Ati2evxx.exe[996] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01265300 .text C:\WINDOWS\system32\Ati2evxx.exe[996] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 012611C0 .text C:\WINDOWS\system32\Ati2evxx.exe[996] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01261290 .text C:\WINDOWS\system32\Ati2evxx.exe[996] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01262570 .text C:\WINDOWS\system32\Ati2evxx.exe[996] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01261000 .text C:\WINDOWS\system32\Ati2evxx.exe[996] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 012610A0 .text C:\WINDOWS\system32\Ati2evxx.exe[996] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01262510 .text C:\WINDOWS\system32\Ati2evxx.exe[996] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01261D10 .text C:\WINDOWS\system32\Ati2evxx.exe[996] WS2_32.dll!send 71A54C27 5 Bytes JMP 01267250 .text C:\WINDOWS\system32\Ati2evxx.exe[996] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 012620A0 .text C:\WINDOWS\system32\Ati2evxx.exe[996] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 012623A0 .text C:\WINDOWS\system32\Ati2evxx.exe[996] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01262160 .text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 007A6390 .text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 007A6640 .text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 007A53D0 .text C:\WINDOWS\System32\svchost.exe[1032] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 007A5300 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007A11C0 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007A1290 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 007A2570 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 007A1000 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 007A10A0 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 007A2510 .text C:\WINDOWS\System32\svchost.exe[1032] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 007A1D10 .text C:\WINDOWS\System32\svchost.exe[1032] WS2_32.dll!send 71A54C27 5 Bytes JMP 007A7250 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 007A20A0 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 007A23A0 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 007A2160 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01406390 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01406640 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 014053D0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01405300 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014011C0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01401290 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01402570 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01401000 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 014010A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01402510 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01401D10 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] WS2_32.dll!send 71A54C27 5 Bytes JMP 01407250 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 014020A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 014023A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1152] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01402160 .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00C96390 .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00C96640 .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00C953D0 .text C:\WINDOWS\System32\svchost.exe[1228] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C95300 .text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C911C0 .text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C91290 .text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00C92570 .text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00C91000 .text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00C910A0 .text C:\WINDOWS\System32\svchost.exe[1228] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00C92510 .text C:\WINDOWS\System32\svchost.exe[1228] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00C91D10 .text C:\WINDOWS\System32\svchost.exe[1228] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C97250 .text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00C920A0 .text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00C923A0 .text C:\WINDOWS\System32\svchost.exe[1228] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00C92160 .text C:\WINDOWS\Explorer.EXE[1260] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02216390 .text C:\WINDOWS\Explorer.EXE[1260] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02216640 .text C:\WINDOWS\Explorer.EXE[1260] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 022153D0 .text C:\WINDOWS\Explorer.EXE[1260] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02215300 .text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022111C0 .text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02211290 .text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02212570 .text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02211000 .text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 022110A0 .text C:\WINDOWS\Explorer.EXE[1260] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02212510 .text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 022120A0 .text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 022123A0 .text C:\WINDOWS\Explorer.EXE[1260] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02212160 .text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02211D10 .text C:\WINDOWS\Explorer.EXE[1260] WS2_32.dll!send 71A54C27 5 Bytes JMP 02217250 .text C:\WINDOWS\system32\spoolsv.exe[1396] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00FB6390 .text C:\WINDOWS\system32\spoolsv.exe[1396] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00FB6640 .text C:\WINDOWS\system32\spoolsv.exe[1396] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00FB53D0 .text C:\WINDOWS\system32\spoolsv.exe[1396] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00FB5300 .text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB11C0 .text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FB1290 .text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00FB2570 .text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00FB1000 .text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00FB10A0 .text C:\WINDOWS\system32\spoolsv.exe[1396] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00FB2510 .text C:\WINDOWS\system32\spoolsv.exe[1396] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00FB1D10 .text C:\WINDOWS\system32\spoolsv.exe[1396] WS2_32.dll!send 71A54C27 5 Bytes JMP 00FB7250 .text C:\WINDOWS\system32\spoolsv.exe[1396] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00FB20A0 .text C:\WINDOWS\system32\spoolsv.exe[1396] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00FB23A0 .text C:\WINDOWS\system32\spoolsv.exe[1396] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00FB2160 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 002A6390 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 002A6640 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 002A53D0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 002A5300 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 002A11C0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 002A1290 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 002A2570 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 002A1000 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 002A10A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 002A2510 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 002A1D10 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] WS2_32.dll!send 71A54C27 5 Bytes JMP 002A7250 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 002A20A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 002A23A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1436] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 002A2160 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01C86390 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01C86640 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 01C853D0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01C85300 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01C811C0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01C81290 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01C82570 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01C81000 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 01C810A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01C82510 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01C81D10 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] WS2_32.dll!send 71A54C27 5 Bytes JMP 01C87250 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 01C820A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 01C823A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1760] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01C82160 .text C:\WINDOWS\System32\svchost.exe[1864] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00BD6390 .text C:\WINDOWS\System32\svchost.exe[1864] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00BD6640 .text C:\WINDOWS\System32\svchost.exe[1864] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00BD53D0 .text C:\WINDOWS\System32\svchost.exe[1864] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00BD5300 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD11C0 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BD1290 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00BD2570 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00BD1000 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00BD10A0 .text C:\WINDOWS\System32\svchost.exe[1864] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00BD2510 .text C:\WINDOWS\System32\svchost.exe[1864] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00BD1D10 .text C:\WINDOWS\System32\svchost.exe[1864] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BD7250 .text C:\WINDOWS\System32\svchost.exe[1864] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00BD20A0 .text C:\WINDOWS\System32\svchost.exe[1864] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00BD23A0 .text C:\WINDOWS\System32\svchost.exe[1864] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00BD2160 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3080] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 82FA31F8 Device \Driver\usbohci \Device\USBPDO-0 82F2D1F8 Device \Driver\usbohci \Device\USBPDO-1 82F2D1F8 Device \Driver\usbehci \Device\USBPDO-2 82F2C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{02084701-7957-48C3-BB20-5D99C22B9CDD} 82CFE440 Device \Driver\Cdrom \Device\CdRom0 82B8F1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 82CFE440 Device \Driver\NetBT \Device\NetbiosSmb 82CFE440 Device \Driver\usbohci \Device\USBFDO-0 82F2D1F8 Device \Driver\usbohci \Device\USBFDO-1 82F2D1F8 Device \Driver\usbehci \Device\USBFDO-2 82F2C1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82C2C440 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82C2C440 Device \FileSystem\Cdfs \Cdfs 82D00440 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x40 0xA5 0x5A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0xF7 0x87 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8E 0x40 0x18 0xBE ... Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe Xyqmqj ---- Files - GMER 2.1 ---- File C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe 131732 bytes executable ---- EOF - GMER 2.1 ----