GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-16 17:50:19 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05 74,53GB Running: zc4h2uwf.exe; Driver: C:\DOCUME~1\Zosia\USTAWI~1\Temp\pwpiaaow.sys ---- System - GMER 2.1 ---- INT 0x62 ? 82FA4CB8 INT 0x63 ? 82D0EF00 INT 0x73 ? 82D0EF00 INT 0x83 ? 82D0EF00 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF74DFCF2] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF0082000, 0x1C5D38, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\svchost.exe[364] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 000A6390 .text C:\WINDOWS\System32\svchost.exe[364] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 000A6640 .text C:\WINDOWS\System32\svchost.exe[364] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000A53D0 .text C:\WINDOWS\System32\svchost.exe[364] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A5300 .text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0 .text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 000A1290 .text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 000A2570 .text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 000A1000 .text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 000A10A0 .text C:\WINDOWS\System32\svchost.exe[364] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 000A2510 .text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 000A1D10 .text C:\WINDOWS\System32\svchost.exe[364] WS2_32.dll!send 71A54C27 5 Bytes JMP 000A7250 .text C:\WINDOWS\System32\svchost.exe[364] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 000A20A0 .text C:\WINDOWS\System32\svchost.exe[364] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 000A23A0 .text C:\WINDOWS\System32\svchost.exe[364] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 000A2160 .text D:\mozilla\firefox.exe[456] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text D:\mozilla\firefox.exe[456] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text D:\mozilla\firefox.exe[456] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text D:\mozilla\firefox.exe[456] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 017EDFF0 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[456] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01F79796 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[456] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01F79773 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[456] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 017F5F1A D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[456] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01F796F4 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[456] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text D:\mozilla\firefox.exe[456] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text D:\mozilla\firefox.exe[456] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text D:\mozilla\firefox.exe[456] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text D:\mozilla\firefox.exe[456] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 .text C:\WINDOWS\system32\csrss.exe[492] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01116390 .text C:\WINDOWS\system32\csrss.exe[492] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01116640 .text C:\WINDOWS\system32\csrss.exe[492] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 011153D0 .text C:\WINDOWS\system32\csrss.exe[492] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01115300 .text C:\WINDOWS\system32\csrss.exe[492] KERNEL32.dll!CreateFileA 7C801A28 5 Bytes JMP 011111C0 .text C:\WINDOWS\system32\csrss.exe[492] KERNEL32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01111290 .text C:\WINDOWS\system32\csrss.exe[492] KERNEL32.dll!MoveFileW 7C821249 5 Bytes JMP 01112570 .text C:\WINDOWS\system32\csrss.exe[492] KERNEL32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01111000 .text C:\WINDOWS\system32\csrss.exe[492] KERNEL32.dll!CopyFileW 7C82F863 5 Bytes JMP 011110A0 .text C:\WINDOWS\system32\csrss.exe[492] KERNEL32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01112510 .text C:\WINDOWS\system32\csrss.exe[492] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01111D10 .text C:\WINDOWS\system32\csrss.exe[492] WS2_32.dll!send 71A54C27 5 Bytes JMP 01117250 .text C:\WINDOWS\system32\csrss.exe[492] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 011120A0 .text C:\WINDOWS\system32\csrss.exe[492] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 011123A0 .text C:\WINDOWS\system32\csrss.exe[492] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01112160 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01976390 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01976640 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 019753D0 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01975300 .text C:\WINDOWS\system32\winlogon.exe[524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 019711C0 .text C:\WINDOWS\system32\winlogon.exe[524] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01971290 .text C:\WINDOWS\system32\winlogon.exe[524] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01972570 .text C:\WINDOWS\system32\winlogon.exe[524] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01971000 .text C:\WINDOWS\system32\winlogon.exe[524] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 019710A0 .text C:\WINDOWS\system32\winlogon.exe[524] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01972510 .text C:\WINDOWS\system32\winlogon.exe[524] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01971D10 .text C:\WINDOWS\system32\winlogon.exe[524] WS2_32.dll!send 71A54C27 5 Bytes JMP 01977250 .text C:\WINDOWS\system32\winlogon.exe[524] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 019720A0 .text C:\WINDOWS\system32\winlogon.exe[524] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 019723A0 .text C:\WINDOWS\system32\winlogon.exe[524] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01972160 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E06390 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E06640 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E053D0 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E05300 .text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E011C0 .text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E01290 .text C:\WINDOWS\system32\services.exe[568] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E02570 .text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E01000 .text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E010A0 .text C:\WINDOWS\system32\services.exe[568] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E02510 .text C:\WINDOWS\system32\services.exe[568] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E01D10 .text C:\WINDOWS\system32\services.exe[568] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E07250 .text C:\WINDOWS\system32\services.exe[568] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00E020A0 .text C:\WINDOWS\system32\services.exe[568] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00E023A0 .text C:\WINDOWS\system32\services.exe[568] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00E02160 .text C:\WINDOWS\system32\Ati2evxx.exe[736] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00E16390 .text C:\WINDOWS\system32\Ati2evxx.exe[736] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00E16640 .text C:\WINDOWS\system32\Ati2evxx.exe[736] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00E153D0 .text C:\WINDOWS\system32\Ati2evxx.exe[736] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00E15300 .text C:\WINDOWS\system32\Ati2evxx.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E111C0 .text C:\WINDOWS\system32\Ati2evxx.exe[736] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E11290 .text C:\WINDOWS\system32\Ati2evxx.exe[736] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00E12570 .text C:\WINDOWS\system32\Ati2evxx.exe[736] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00E11000 .text C:\WINDOWS\system32\Ati2evxx.exe[736] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00E110A0 .text C:\WINDOWS\system32\Ati2evxx.exe[736] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00E12510 .text C:\WINDOWS\system32\Ati2evxx.exe[736] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00E11D10 .text C:\WINDOWS\system32\Ati2evxx.exe[736] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E17250 .text C:\WINDOWS\system32\Ati2evxx.exe[736] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00E120A0 .text C:\WINDOWS\system32\Ati2evxx.exe[736] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00E123A0 .text C:\WINDOWS\system32\Ati2evxx.exe[736] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00E12160 .text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B56390 .text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B56640 .text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B553D0 .text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B55300 .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B511C0 .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B51290 .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B52570 .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B51000 .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B510A0 .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B52510 .text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B51D10 .text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B57250 .text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B520A0 .text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B523A0 .text C:\WINDOWS\system32\svchost.exe[748] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B52160 .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00BE6390 .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00BE6640 .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00BE53D0 .text C:\WINDOWS\system32\svchost.exe[824] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00BE5300 .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE11C0 .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BE1290 .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00BE2570 .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00BE1000 .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00BE10A0 .text C:\WINDOWS\system32\svchost.exe[824] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00BE2510 .text C:\WINDOWS\system32\svchost.exe[824] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00BE1D10 .text C:\WINDOWS\system32\svchost.exe[824] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BE7250 .text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00BE20A0 .text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00BE23A0 .text C:\WINDOWS\system32\svchost.exe[824] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00BE2160 .text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B56390 .text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B56640 .text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B553D0 .text C:\WINDOWS\System32\svchost.exe[888] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B55300 .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B511C0 .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B51290 .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B52570 .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B51000 .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B510A0 .text C:\WINDOWS\System32\svchost.exe[888] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B52510 .text C:\WINDOWS\System32\svchost.exe[888] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B51D10 .text C:\WINDOWS\System32\svchost.exe[888] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B57250 .text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B520A0 .text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B523A0 .text C:\WINDOWS\System32\svchost.exe[888] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B52160 .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00796390 .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00796640 .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 007953D0 .text C:\WINDOWS\System32\svchost.exe[940] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00795300 .text C:\WINDOWS\System32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007911C0 .text C:\WINDOWS\System32\svchost.exe[940] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00791290 .text C:\WINDOWS\System32\svchost.exe[940] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00792570 .text C:\WINDOWS\System32\svchost.exe[940] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00791000 .text C:\WINDOWS\System32\svchost.exe[940] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 007910A0 .text C:\WINDOWS\System32\svchost.exe[940] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00792510 .text C:\WINDOWS\System32\svchost.exe[940] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00791D10 .text C:\WINDOWS\System32\svchost.exe[940] WS2_32.dll!send 71A54C27 5 Bytes JMP 00797250 .text C:\WINDOWS\System32\svchost.exe[940] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 007920A0 .text C:\WINDOWS\System32\svchost.exe[940] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 007923A0 .text C:\WINDOWS\System32\svchost.exe[940] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00792160 .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00A06390 .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00A06640 .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00A053D0 .text C:\WINDOWS\System32\svchost.exe[1012] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A05300 .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A011C0 .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A01290 .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00A02570 .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00A01000 .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00A010A0 .text C:\WINDOWS\System32\svchost.exe[1012] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00A02510 .text C:\WINDOWS\System32\svchost.exe[1012] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00A01D10 .text C:\WINDOWS\System32\svchost.exe[1012] WS2_32.dll!send 71A54C27 5 Bytes JMP 00A07250 .text C:\WINDOWS\System32\svchost.exe[1012] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00A020A0 .text C:\WINDOWS\System32\svchost.exe[1012] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00A023A0 .text C:\WINDOWS\System32\svchost.exe[1012] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00A02160 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00AE6390 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00AE6640 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00AE53D0 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00AE5300 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AE11C0 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AE1290 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00AE2570 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00AE1000 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00AE10A0 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00AE2510 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00AE1D10 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] WS2_32.dll!send 71A54C27 5 Bytes JMP 00AE7250 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00AE20A0 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00AE23A0 .text C:\WINDOWS\system32\Ati2evxx.exe[1076] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00AE2160 .text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02366390 .text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02366640 .text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 023653D0 .text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02365300 .text C:\WINDOWS\Explorer.EXE[1312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 023611C0 .text C:\WINDOWS\Explorer.EXE[1312] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02361290 .text C:\WINDOWS\Explorer.EXE[1312] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02362570 .text C:\WINDOWS\Explorer.EXE[1312] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02361000 .text C:\WINDOWS\Explorer.EXE[1312] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 023610A0 .text C:\WINDOWS\Explorer.EXE[1312] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02362510 .text C:\WINDOWS\Explorer.EXE[1312] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 023620A0 .text C:\WINDOWS\Explorer.EXE[1312] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 023623A0 .text C:\WINDOWS\Explorer.EXE[1312] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02362160 .text C:\WINDOWS\Explorer.EXE[1312] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02361D10 .text C:\WINDOWS\Explorer.EXE[1312] WS2_32.dll!send 71A54C27 5 Bytes JMP 02367250 .text C:\WINDOWS\system32\spoolsv.exe[1408] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00A56390 .text C:\WINDOWS\system32\spoolsv.exe[1408] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00A56640 .text C:\WINDOWS\system32\spoolsv.exe[1408] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00A553D0 .text C:\WINDOWS\system32\spoolsv.exe[1408] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A55300 .text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A511C0 .text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A51290 .text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00A52570 .text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00A51000 .text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00A510A0 .text C:\WINDOWS\system32\spoolsv.exe[1408] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00A52510 .text C:\WINDOWS\system32\spoolsv.exe[1408] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00A51D10 .text C:\WINDOWS\system32\spoolsv.exe[1408] WS2_32.dll!send 71A54C27 5 Bytes JMP 00A57250 .text C:\WINDOWS\system32\spoolsv.exe[1408] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00A520A0 .text C:\WINDOWS\system32\spoolsv.exe[1408] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00A523A0 .text C:\WINDOWS\system32\spoolsv.exe[1408] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00A52160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 009F6390 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 009F6640 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 009F53D0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 009F5300 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F11C0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009F1290 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 009F2570 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 009F1000 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 009F10A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 009F2510 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 009F20A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 009F23A0 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 009F2160 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 009F1D10 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1552] WS2_32.dll!send 71A54C27 5 Bytes JMP 009F7250 .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00A46390 .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00A46640 .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00A453D0 .text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00A45300 .text C:\WINDOWS\system32\ctfmon.exe[1572] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A411C0 .text C:\WINDOWS\system32\ctfmon.exe[1572] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A41290 .text C:\WINDOWS\system32\ctfmon.exe[1572] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00A42570 .text C:\WINDOWS\system32\ctfmon.exe[1572] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00A41000 .text C:\WINDOWS\system32\ctfmon.exe[1572] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00A410A0 .text C:\WINDOWS\system32\ctfmon.exe[1572] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00A42510 .text C:\WINDOWS\system32\ctfmon.exe[1572] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00A41D10 .text C:\WINDOWS\system32\ctfmon.exe[1572] WS2_32.dll!send 71A54C27 5 Bytes JMP 00A47250 .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00A420A0 .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00A423A0 .text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00A42160 .text C:\Program Files\Messenger\msmsgs.exe[1580] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00D56390 .text C:\Program Files\Messenger\msmsgs.exe[1580] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00D56640 .text C:\Program Files\Messenger\msmsgs.exe[1580] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00D553D0 .text C:\Program Files\Messenger\msmsgs.exe[1580] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00D55300 .text C:\Program Files\Messenger\msmsgs.exe[1580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D511C0 .text C:\Program Files\Messenger\msmsgs.exe[1580] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D51290 .text C:\Program Files\Messenger\msmsgs.exe[1580] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00D52570 .text C:\Program Files\Messenger\msmsgs.exe[1580] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00D51000 .text C:\Program Files\Messenger\msmsgs.exe[1580] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00D510A0 .text C:\Program Files\Messenger\msmsgs.exe[1580] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00D52510 .text C:\Program Files\Messenger\msmsgs.exe[1580] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00D51D10 .text C:\Program Files\Messenger\msmsgs.exe[1580] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D57250 .text C:\Program Files\Messenger\msmsgs.exe[1580] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00D520A0 .text C:\Program Files\Messenger\msmsgs.exe[1580] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00D523A0 .text C:\Program Files\Messenger\msmsgs.exe[1580] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00D52160 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00B46390 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00B46640 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 00B453D0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00B45300 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B411C0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B41290 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00B42570 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00B41000 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 00B410A0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00B42510 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00B41D10 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B47250 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 00B420A0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 00B423A0 .text C:\Program Files\USB TV\EM28XX\BDARemote.exe[1652] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00B42160 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 01406390 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 01406640 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 014053D0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01405300 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014011C0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01401290 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 01402570 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 01401000 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 014010A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 01402510 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 01401D10 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] WS2_32.dll!send 71A54C27 5 Bytes JMP 01407250 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 014020A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 014023A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1692] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 01402160 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 02266390 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 02266640 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 022653D0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 02265300 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 022611C0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02261290 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 02262570 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 02261000 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 022610A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 02262510 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 02261D10 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] WS2_32.dll!send 71A54C27 5 Bytes JMP 02267250 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 022620A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 022623A0 .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1700] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 02262160 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Program Files\Java\jre7\bin\jqs.exe[1980] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 .text C:\WINDOWS\System32\alg.exe[2136] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 000A6390 .text C:\WINDOWS\System32\alg.exe[2136] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 000A6640 .text C:\WINDOWS\System32\alg.exe[2136] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000A53D0 .text C:\WINDOWS\System32\alg.exe[2136] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A5300 .text C:\WINDOWS\System32\alg.exe[2136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0 .text C:\WINDOWS\System32\alg.exe[2136] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 000A1290 .text C:\WINDOWS\System32\alg.exe[2136] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 000A2570 .text C:\WINDOWS\System32\alg.exe[2136] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 000A1000 .text C:\WINDOWS\System32\alg.exe[2136] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 000A10A0 .text C:\WINDOWS\System32\alg.exe[2136] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 000A2510 .text C:\WINDOWS\System32\alg.exe[2136] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 000A1D10 .text C:\WINDOWS\System32\alg.exe[2136] WS2_32.dll!send 71A54C27 5 Bytes JMP 000A7250 .text C:\WINDOWS\System32\alg.exe[2136] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 000A20A0 .text C:\WINDOWS\System32\alg.exe[2136] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 000A23A0 .text C:\WINDOWS\System32\alg.exe[2136] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 000A2160 .text C:\WINDOWS\System32\svchost.exe[2468] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 000A6390 .text C:\WINDOWS\System32\svchost.exe[2468] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 000A6640 .text C:\WINDOWS\System32\svchost.exe[2468] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 000A53D0 .text C:\WINDOWS\System32\svchost.exe[2468] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000A5300 .text C:\WINDOWS\System32\svchost.exe[2468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 000A11C0 .text C:\WINDOWS\System32\svchost.exe[2468] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 000A1290 .text C:\WINDOWS\System32\svchost.exe[2468] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 000A2570 .text C:\WINDOWS\System32\svchost.exe[2468] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 000A1000 .text C:\WINDOWS\System32\svchost.exe[2468] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 000A10A0 .text C:\WINDOWS\System32\svchost.exe[2468] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 000A2510 .text C:\WINDOWS\System32\svchost.exe[2468] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 000A1D10 .text C:\WINDOWS\System32\svchost.exe[2468] WS2_32.dll!send 71A54C27 5 Bytes JMP 000A7250 .text C:\WINDOWS\System32\svchost.exe[2468] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 000A20A0 .text C:\WINDOWS\System32\svchost.exe[2468] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 000A23A0 .text C:\WINDOWS\System32\svchost.exe[2468] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 000A2160 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] ntdll.dll!NtEnumerateValueKey 7C90D2D0 5 Bytes JMP 00166390 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] ntdll.dll!NtQueryDirectoryFile 7C90D750 5 Bytes JMP 00166640 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] ntdll.dll!NtResumeThread 7C90DB20 5 Bytes JMP 001653D0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00165300 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001611C0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00161290 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] kernel32.dll!MoveFileW 7C821249 5 Bytes JMP 00162570 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] kernel32.dll!CopyFileA 7C8286D6 5 Bytes JMP 00161000 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] kernel32.dll!CopyFileW 7C82F863 5 Bytes JMP 001610A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] kernel32.dll!MoveFileA 7C835EA7 5 Bytes JMP 00162510 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] WS2_32.dll!GetAddrInfoW 71A52899 5 Bytes JMP 00161D10 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] WS2_32.dll!send 71A54C27 5 Bytes JMP 00167250 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] WININET.dll!HttpSendRequestA 771B60A1 5 Bytes JMP 001620A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] WININET.dll!InternetWriteFile 771E8BB9 5 Bytes JMP 001623A0 .text C:\Documents and Settings\Zosia\Pulpit\zc4h2uwf.exe[3992] WININET.dll!HttpSendRequestW 77202EBC 5 Bytes JMP 00162160 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 82FA31F8 Device \Driver\usbohci \Device\USBPDO-0 82C5E440 Device \Driver\usbohci \Device\USBPDO-1 82C5E440 Device \Driver\usbehci \Device\USBPDO-2 82BB9440 Device \Driver\NetBT \Device\NetBT_Tcpip_{02084701-7957-48C3-BB20-5D99C22B9CDD} 82D00440 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 82D00440 Device \Driver\NetBT \Device\NetbiosSmb 82D00440 Device \Driver\usbohci \Device\USBFDO-0 82C5E440 Device \Driver\usbohci \Device\USBFDO-1 82C5E440 Device \Driver\usbehci \Device\USBFDO-2 82BB9440 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D92440 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D92440 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x40 0xA5 0x5A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0xF7 0x87 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8E 0x40 0x18 0xBE ... Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache@C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe Xyqmqj ---- Files - GMER 2.1 ---- File C:\Documents and Settings\Zosia\Dane aplikacji\Xyqmqj.exe 131732 bytes executable ---- EOF - GMER 2.1 ----