GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-30 14:23:23 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD1200BEVS-75UST0 rev.01.01A01 111.79GB Running: ujx278jt[1].exe; Driver: C:\DOCUME~1\Agata\USTAWI~1\Temp\kwdcquow.sys ---- System - GMER 2.0 ---- SSDT 8A0A78B8 ZwAlertResumeThread SSDT 8A13A888 ZwAlertThread SSDT 8A173968 ZwAllocateVirtualMemory SSDT 8A0DA688 ZwAssignProcessToJobObject SSDT 89EEC3D0 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA82FDED0] SSDT 8A059FA0 ZwCreateMutant SSDT 89D80CC0 ZwCreateSymbolicLinkObject SSDT 89E02E78 ZwCreateThread SSDT 8A0DA860 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA82FE150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA82FE810] SSDT 8A0C85B0 ZwDuplicateObject SSDT 8A22EDD8 ZwFreeVirtualMemory SSDT 8A0B7C10 ZwImpersonateAnonymousToken SSDT 8A069E00 ZwImpersonateThread SSDT 8A2A8D48 ZwLoadDriver SSDT 89D80850 ZwMapViewOfSection SSDT 8A0DFB70 ZwOpenEvent SSDT 8A01EFC0 ZwOpenProcess SSDT 8A0BBA20 ZwOpenProcessToken SSDT 8A0DD0F8 ZwOpenSection SSDT 8A0434F0 ZwOpenThread SSDT 89D80D90 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwRenameKey [0xA82FED80] SSDT 8A05D9B0 ZwResumeThread SSDT 8A14D0B0 ZwSetContextThread SSDT 89DF7150 ZwSetInformationProcess SSDT 8A0DB280 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA82FEAA0] SSDT 8A0DEAD0 ZwSuspendProcess SSDT 8A0A06C0 ZwSuspendThread SSDT 8A082238 ZwTerminateProcess SSDT 8A1E9500 ZwTerminateThread SSDT 8A2820B0 ZwUnmapViewOfSection SSDT 8A256160 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CE8 80504584 4 Bytes [10, E8, 2F, A8] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC0 8050485C 4 Bytes JMP C118A82F .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 8 Bytes [D0, EA, 0D, 8A, C0, 06, 0A, ...] ? SYMDS.SYS Nie mo¿na odnaleŸæ okreœlonego pliku. ! ? SYMEFA.SYS Nie mo¿na odnaleŸæ okreœlonego pliku. ! ---- User code sections - GMER 2.0 ---- .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00610048 .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003E004C .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0061084A .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0061020E .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0061012A .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00610682 .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0061059E .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 006103D6 .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 006102F2 .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [7E, 88, EB, F9] {JLE 0xffffff8a; JMP 0xfffffffd} .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 006104BA .text C:\Documents and Settings\Agata\Ustawienia lokalne\Temporary Internet Files\Content.IE5\Z0RONV56\ujx278jt[1].exe[272] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00610766 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[444] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\WINDOWS\system32\WLTRAY.exe[512] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 008C0048 .text C:\WINDOWS\system32\WLTRAY.exe[512] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0078004C .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 008C020E .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 008C012A .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 008C0682 .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 008C059E .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 008C03D6 .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 008C02F2 .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [A9, 88, EB, F9] .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 008C04BA .text C:\WINDOWS\system32\WLTRAY.exe[512] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 008C0766 .text C:\WINDOWS\system32\WLTRAY.exe[512] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 008C0A0E .text C:\Program Files\Internet Explorer\iexplore.exe[1344] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 04980048 .text C:\Program Files\Internet Explorer\iexplore.exe[1344] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 0498012A .text C:\Program Files\Internet Explorer\iexplore.exe[1344] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 04980676 .text C:\Program Files\Internet Explorer\iexplore.exe[1344] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 049803D0 .text C:\Program Files\Internet Explorer\iexplore.exe[1344] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 04980594 .text C:\Program Files\Internet Explorer\iexplore.exe[1344] kernel32.dll!CreateRemoteThread + 206 7C8106D2 7 Bytes JMP 049802EE .text C:\Program Files\Internet Explorer\iexplore.exe[1344] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 04980758 .text C:\Program Files\Internet Explorer\iexplore.exe[1344] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 049804B2 .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] ole32.dll!CreateBindCtx + B5F 774EF14F 7 Bytes JMP 0498091C .text C:\Program Files\Internet Explorer\iexplore.exe[1344] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1344] ole32.dll!CoImpersonateClient + 51 775051F0 7 Bytes JMP 0498083A .text C:\Program Files\Internet Explorer\iexplore.exe[1344] ole32.dll!OleLoadFromStream 7751981B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\WINDOWS\System32\WLTRYSVC.EXE[1404] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\WINDOWS\System32\bcmwltry.exe[1428] ntdll.dll!NtMapViewOfSection 7C90D51E 3 Bytes JMP 00910048 .text C:\WINDOWS\System32\bcmwltry.exe[1428] ntdll.dll!NtMapViewOfSection + 4 7C90D522 1 Byte [84] .text C:\WINDOWS\System32\bcmwltry.exe[1428] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 007F004C .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0091020E .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0091012A .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00910682 .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0091059E .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 009103D6 .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 009102F2 .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [AE, 88, EB, F9] {SCASB ; MOV BL, CH; STC } .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 009104BA .text C:\WINDOWS\System32\bcmwltry.exe[1428] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00910766 .text C:\WINDOWS\System32\bcmwltry.exe[1428] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 00910A0E .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Java\jre6\bin\jqs.exe[1532] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Common Files\Motive\McciCMService.exe[1584] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003D0048 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003D020E .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003D012A .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003D0682 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003D059E .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003D03D6 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003D02F2 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC } .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003D04BA .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003D0766 .text C:\Documents and Settings\All Users\Dane aplikacji\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1712] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003D084A .text C:\WINDOWS\system32\igfxtray.exe[1836] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00570048 .text C:\WINDOWS\system32\igfxtray.exe[1836] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003F004C .text C:\WINDOWS\system32\igfxtray.exe[1836] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0057084A .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0057020E .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0057012A .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00570682 .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0057059E .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 005703D6 .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 005702F2 .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [74, 88, EB, F9] {JZ 0xffffff8a; JMP 0xfffffffd} .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 005704BA .text C:\WINDOWS\system32\igfxtray.exe[1836] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00570766 .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1852] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0D690048 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 0D69012A .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 4 Bytes JMP 0D690676 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!VirtualProtect 7C801AD4 2 Bytes CALL D27A0669 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!ReadProcessMemory + 3E 7C80220E 4 Bytes JMP 0D6903D0 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!WriteProcessMemory 7C802213 2 Bytes CALL D27A0DA8 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!lstrlenW + 43 7C809AEC 4 Bytes JMP 0D690594 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!VirtualAlloc 7C809AF1 2 Bytes CALL D27A8686 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!CreateRemoteThread + 206 7C8106D2 4 Bytes JMP 0D6902EE .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!CreateThread 7C8106D7 2 Bytes [EB, F9] {JMP 0xfffffffb} .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!GetVersionExA + D3 7C812C51 4 Bytes JMP 0D690758 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!HeapCreate 7C812C56 2 Bytes [EB, F9] {JMP 0xfffffffb} .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!GetProcessHandleCount + 35 7C86229F 4 Bytes JMP 0D6904B2 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] kernel32.dll!SetProcessDEPPolicy 7C8622A4 2 Bytes [EB, F9] {JMP 0xfffffffb} .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] ole32.dll!CreateBindCtx + B5F 774EF14F 7 Bytes JMP 0D690BD2 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2204] ole32.dll!CoImpersonateClient + 51 775051F0 7 Bytes JMP 0D690AF0 .text C:\Program Files\Internet Explorer\iexplore.exe[2204] ole32.dll!OleLoadFromStream 7751981B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00550048 .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\WINDOWS\system32\igfxsrvc.exe[2448] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0055084A .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0055020E .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0055012A .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00550682 .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0055059E .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 005503D6 .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 005502F2 .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [72, 88, EB, F9] {JB 0xffffff8a; JMP 0xfffffffd} .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 005504BA .text C:\WINDOWS\system32\igfxsrvc.exe[2448] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00550766 .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2796] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0F140048 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 0F14012A .text C:\Program Files\Internet Explorer\iexplore.exe[2984] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 0F140676 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 0F1403D0 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0F140594 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] kernel32.dll!CreateRemoteThread + 206 7C8106D2 7 Bytes JMP 0F1402EE .text C:\Program Files\Internet Explorer\iexplore.exe[2984] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 0F140758 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 0F1404B2 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] ole32.dll!CreateBindCtx + B5F 774EF14F 7 Bytes JMP 0F140BD2 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2984] ole32.dll!CoImpersonateClient + 51 775051F0 7 Bytes JMP 0F140AF0 .text C:\Program Files\Internet Explorer\iexplore.exe[2984] ole32.dll!OleLoadFromStream 7751981B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\system32\igfxpers.exe[3252] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00540048 .text C:\WINDOWS\system32\igfxpers.exe[3252] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\WINDOWS\system32\igfxpers.exe[3252] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0054084A .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0054020E .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0054012A .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00540682 .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0054059E .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 005403D6 .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 005402F2 .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [71, 88, EB, F9] {JNO 0xffffff8a; JMP 0xfffffffd} .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 005404BA .text C:\WINDOWS\system32\igfxpers.exe[3252] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00540766 .text C:\WINDOWS\system32\hkcmd.exe[3316] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00570048 .text C:\WINDOWS\system32\hkcmd.exe[3316] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003F004C .text C:\WINDOWS\system32\hkcmd.exe[3316] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0057084A .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0057020E .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0057012A .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00570682 .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0057059E .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 005703D6 .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 005702F2 .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [74, 88, EB, F9] {JZ 0xffffff8a; JMP 0xfffffffd} .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 005704BA .text C:\WINDOWS\system32\hkcmd.exe[3316] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00570766 .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003F0048 .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003F020E .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003F012A .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003F0682 .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003F059E .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003F03D6 .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003F02F2 .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5C, 88, EB, F9] {POP ESP; MOV BL, CH; STC } .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003F04BA .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003F0766 .text C:\WINDOWS\system32\LVCOMSX.EXE[3372] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003F084A ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[1344] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Program Files\Internet Explorer\iexplore.exe[2204] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Program Files\Internet Explorer\iexplore.exe[2984] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x83 0xAE 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xFB 0xE5 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x91 0x62 0xA8 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8F 0x6F 0xF6 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x11 0x26 0xC7 0xC3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x94 0x83 0xAE 0x32 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xFB 0xE5 0x96 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x91 0x62 0xA8 0x38 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8F 0x6F 0xF6 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x11 0x26 0xC7 0xC3 ... ---- Files - GMER 2.0 ---- File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00001801.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00006327.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00017933.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00018188.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00020799.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00023764.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00024275.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00026139.tmp 0 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\CmnClnt\00032587.tmp 0 bytes ---- EOF - GMER 2.0 ----