GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-24 14:47:28 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000006a SAMSUNG_HD502HJ rev.1AJ100E4 Running: 4irz3k4b.exe; Driver: C:\DOCUME~1\1\USTAWI~1\Temp\kgriqaoc.sys ---- System - GMER 1.0.15 ---- SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9E54D3A] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xBA24ACC6] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xBA24ACE0] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xBA249E7C] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9E55634] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9E5594C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xBA24A1AC] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xBA249BBC] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9E53EBE] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xBA24A5DE] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xBA24B87C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xBA24A42E] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9E5509A] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xBA249A3C] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xBA249EB0] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xBA24A032] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xBA249996] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xBA249AF6] SSDT \??\C:\Program Files\BezpiecznyInternet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xBA249F76] Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD0 80504888 12 Bytes [3C, 9A, 24, BA, B0, 9E, 24, ...] PAGENPNP NDIS.SYS!NdisRegisterProtocol B9C4317F 5 Bytes JMP B9C72E0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisOpenAdapter B9C43399 5 Bytes JMP B9C73394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisCloseAdapter B9C4D642 5 Bytes JMP B9C72F18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisDeregisterProtocol B9C4D821 5 Bytes JMP B9C731B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisReturnPackets B9C50810 5 Bytes JMP B9C73C0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisRequest B9C5097B 5 Bytes JMP B9C735AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSend B9C53986 5 Bytes JMP B9C7458C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSendPackets B9C539A3 5 Bytes JMP B9C7465E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisTransferData B9C539BE 5 Bytes JMP B9C73D0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoCreateVc B9C5A186 5 Bytes JMP B9C72E76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoDeleteVc B9C5B557 5 Bytes JMP B9C72EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoSendPackets B9C5BAF1 5 Bytes JMP B9C74376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8CF9000, 0x21F557, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA8A6F300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA470300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0104000C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0104100C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0104200C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0104300C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0104400C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0104A00C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0104700C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0104500C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0104600C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0104800C .text C:\Program Files\Olympus\ib\olycamdetect.exe[164] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0104900C .text C:\WINDOWS\RTHDCPL.EXE[512] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0627000C .text C:\WINDOWS\RTHDCPL.EXE[512] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0627100C .text C:\WINDOWS\RTHDCPL.EXE[512] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0627200C .text C:\WINDOWS\RTHDCPL.EXE[512] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0627300C .text C:\WINDOWS\RTHDCPL.EXE[512] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0627700C .text C:\WINDOWS\RTHDCPL.EXE[512] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0627500C .text C:\WINDOWS\RTHDCPL.EXE[512] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0627600C .text C:\WINDOWS\RTHDCPL.EXE[512] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0627800C .text C:\WINDOWS\RTHDCPL.EXE[512] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0627900C .text C:\WINDOWS\RTHDCPL.EXE[512] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0627400C .text C:\WINDOWS\RTHDCPL.EXE[512] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0627A00C .text C:\Program Files\Nero\InCD\InCD.exe[528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0290000C .text C:\Program Files\Nero\InCD\InCD.exe[528] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0290100C .text C:\Program Files\Nero\InCD\InCD.exe[528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0290200C .text C:\Program Files\Nero\InCD\InCD.exe[528] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0290300C .text C:\Program Files\Nero\InCD\InCD.exe[528] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0290400C .text C:\Program Files\Nero\InCD\InCD.exe[528] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0290A00C .text C:\Program Files\Nero\InCD\InCD.exe[528] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0290700C .text C:\Program Files\Nero\InCD\InCD.exe[528] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0290500C .text C:\Program Files\Nero\InCD\InCD.exe[528] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0290600C .text C:\Program Files\Nero\InCD\InCD.exe[528] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0290800C .text C:\Program Files\Nero\InCD\InCD.exe[528] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0290900C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0227000C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0227100C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0227200C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0227300C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0227400C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0227A00C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0227700C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0227500C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0227600C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0227800C .text C:\WINDOWS\PixArt\PAC207\Monitor.exe[552] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0227900C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0209000C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0209100C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0209200C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0209300C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0209400C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0209A00C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0209700C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0209500C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0209600C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0209800C .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[592] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0209900C .text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0245000C .text C:\WINDOWS\Explorer.EXE[608] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0245100C .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0245200C .text C:\WINDOWS\Explorer.EXE[608] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0245300C .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0245700C .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0245500C .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0245600C .text C:\WINDOWS\Explorer.EXE[608] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0245800C .text C:\WINDOWS\Explorer.EXE[608] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0245400C .text C:\WINDOWS\Explorer.EXE[608] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0245A00C .text C:\WINDOWS\Explorer.EXE[608] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0245900C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0117000C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0117100C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0117200C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0117300C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ADVAPI32.DLL!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0117700C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ADVAPI32.DLL!OpenServiceW 77DD6FFD 5 Bytes JMP 0117500C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ADVAPI32.DLL!ControlService 77DE4A09 5 Bytes JMP 0117600C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ADVAPI32.DLL!CreateServiceW 77E273A9 5 Bytes JMP 0117800C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0117400C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0117A00C .text C:\Program Files\program do zmiany tła pulpitu\Tla Pulpitu\zmtla.exe[620] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0117900C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0097000C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0097100C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0097200C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0097300C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0097400C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0097A00C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0097700C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0097500C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0097600C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0097800C .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[748] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0097900C .text C:\WINDOWS\system32\winlogon.exe[820] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D9000C .text C:\WINDOWS\system32\winlogon.exe[820] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D9100C .text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D9200C .text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00D9300C .text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D9700C .text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D9500C .text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D9600C .text C:\WINDOWS\system32\winlogon.exe[820] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D9800C .text C:\WINDOWS\system32\winlogon.exe[820] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D9400C .text C:\WINDOWS\system32\winlogon.exe[820] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D9A00C .text C:\WINDOWS\system32\winlogon.exe[820] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00D9900C .text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE000C .text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00FE100C .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE200C .text C:\WINDOWS\system32\lsass.exe[876] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00FE300C .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00FE700C .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00FE500C .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00FE600C .text C:\WINDOWS\system32\lsass.exe[876] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00FE800C .text C:\WINDOWS\system32\lsass.exe[876] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00FE400C .text C:\WINDOWS\system32\lsass.exe[876] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00FEA00C .text C:\WINDOWS\system32\lsass.exe[876] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00FE900C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE000C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BE100C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE200C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00BE300C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00BE700C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00BE500C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00BE600C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00BE800C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00BE400C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00BEA00C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[948] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00BE900C .text C:\Program Files\BezpiecznyInternet\Common\FSM32.EXE[1028] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0349000C .text C:\Program Files\BezpiecznyInternet\Common\FSM32.EXE[1028] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0349100C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0251000C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0251100C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0251200C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0251300C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0251400C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0251A00C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0251900C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0251700C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0251500C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0251600C .text C:\WINDOWS\system32\Ati2evxx.exe[1056] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0251800C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE000C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00FE100C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FE200C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00FE300C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00FE700C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00FE500C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00FE600C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00FE800C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00FE400C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00FEA00C .text C:\Program Files\MouseGestures\OscarEditor.exe[1200] OLE32.DLL!CoCreateInstanceEx 774EF164 5 Bytes JMP 00FE900C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0465000C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0465100C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0465200C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0465300C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0465400C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0465A00C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0465700C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0465500C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0465600C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0465800C .text C:\Program Files\Aparat fotograficzny\OV2Monitor.exe[1216] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0465900C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0D08000C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0D08100C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0D08200C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0D08300C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0D08400C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0D08A00C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0D08900C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0D08700C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0D08500C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0D08600C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1224] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0D08800C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0633000C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0633100C .text C:\Program Files\uTorrent\uTorrent.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0633200C .text C:\Program Files\uTorrent\uTorrent.exe[1232] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0633300C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0633700C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0633500C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0633600C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0633800C .text C:\Program Files\uTorrent\uTorrent.exe[1232] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0633400C .text C:\Program Files\uTorrent\uTorrent.exe[1232] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0633A00C .text C:\Program Files\uTorrent\uTorrent.exe[1232] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0633900C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007A000C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 007A100C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007A200C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 007A300C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 007A400C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 007AA00C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 007A700C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 007A500C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 007A600C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 007A800C .text C:\Program Files\Nero\InCD\InCDsrv.exe[1500] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 007A900C .text C:\Program Files\Opera\opera.exe[1568] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009C000C .text C:\Program Files\Opera\opera.exe[1568] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 009C100C .text C:\Program Files\Opera\opera.exe[1568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C200C .text C:\Program Files\Opera\opera.exe[1568] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 009C300C .text C:\Program Files\Opera\opera.exe[1568] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009C400C .text C:\Program Files\Opera\opera.exe[1568] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 009CA00C .text C:\Program Files\Opera\opera.exe[1568] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 009C700C .text C:\Program Files\Opera\opera.exe[1568] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 009C500C .text C:\Program Files\Opera\opera.exe[1568] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 009C600C .text C:\Program Files\Opera\opera.exe[1568] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 009C800C .text C:\Program Files\Opera\opera.exe[1568] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 009C900C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0229000C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0229100C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0229200C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0229300C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0229400C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0229A00C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0229700C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0229500C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0229600C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0229800C .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1632] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0229900C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D7000C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D7100C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D7200C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00D7300C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D7400C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D7A00C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00D7900C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D7700C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D7500C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D7600C .text C:\WINDOWS\system32\Ati2evxx.exe[1904] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D7800C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0120000C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0120100C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0120200C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0120300C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0120400C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0120900C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0120700C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0120500C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0120600C .text C:\WINDOWS\system32\LEXBCES.EXE[1944] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0120800C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 011E000C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 011E100C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011E200C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 011E300C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 011E700C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ADVAPI32.dll!OpenServiceW 77DD6FFD 3 Bytes JMP 011E500C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ADVAPI32.dll!OpenServiceW + 4 77DD7001 1 Byte [89] .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 011E600C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 011E800C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 011E400C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 011EA00C .text C:\WINDOWS\system32\LEXPPS.EXE[2032] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 011E900C .text C:\WINDOWS\System32\alg.exe[2208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000C .text C:\WINDOWS\System32\alg.exe[2208] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BA100C .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA200C .text C:\WINDOWS\System32\alg.exe[2208] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00BA300C .text C:\WINDOWS\System32\alg.exe[2208] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00BA400C .text C:\WINDOWS\System32\alg.exe[2208] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00BAA00C .text C:\WINDOWS\System32\alg.exe[2208] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00BA700C .text C:\WINDOWS\System32\alg.exe[2208] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00BA500C .text C:\WINDOWS\System32\alg.exe[2208] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00BA600C .text C:\WINDOWS\System32\alg.exe[2208] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00BA800C .text C:\WINDOWS\System32\alg.exe[2208] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00BA900C .text C:\WINDOWS\system32\wscntfy.exe[2324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD000C .text C:\WINDOWS\system32\wscntfy.exe[2324] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00BD100C .text C:\WINDOWS\system32\wscntfy.exe[2324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD200C .text C:\WINDOWS\system32\wscntfy.exe[2324] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00BD300C .text C:\WINDOWS\system32\wscntfy.exe[2324] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00BD400C .text C:\WINDOWS\system32\wscntfy.exe[2324] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00BDA00C .text C:\WINDOWS\system32\wscntfy.exe[2324] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00BD700C .text C:\WINDOWS\system32\wscntfy.exe[2324] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00BD500C .text C:\WINDOWS\system32\wscntfy.exe[2324] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00BD600C .text C:\WINDOWS\system32\wscntfy.exe[2324] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00BD800C .text C:\WINDOWS\system32\wscntfy.exe[2324] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00BD900C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A3000C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00A3100C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A3200C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00A3300C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00A3700C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00A3500C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00A3600C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00A3800C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A3400C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A3A00C .text C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe[2596] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 00A3900C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0364000C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0364100C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0364200C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0364300C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0364700C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0364500C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0364600C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0364800C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0364400C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] user32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0364A00C .text C:\Program Files\Java\jre7\bin\jqs.exe[2624] ole32.dll!CoCreateInstanceEx 774EF164 5 Bytes JMP 0364900C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0204000C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0204100C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0204200C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0204300C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0204400C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0204900C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0204700C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0204500C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0204600C .text C:\WINDOWS\system32\PnkBstrA.exe[2728] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0204800C ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\1\Pulpit\Nowy folder\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x89 0xAD 0xFB 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x37 0xB9 0x53 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8B 0xB1 0x55 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x14 0x60 0x86 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\1\Pulpit\Nowy folder\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x89 0xAD 0xFB 0x23 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x37 0xB9 0x53 0x93 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8B 0xB1 0x55 0x0B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x14 0x60 0x86 0x14 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... ---- EOF - GMER 1.0.15 ----