GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-01 16:04:42 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.0000 298,09GB Running: rmxmfb4o.exe; Driver: C:\Users\DANUSI~1\AppData\Local\Temp\pxldapow.sys ---- System - GMER 2.0 ---- SSDT 8E605440 ZwAlertResumeThread SSDT 8E605520 ZwAlertThread SSDT 8E3A8BD8 ZwAllocateVirtualMemory SSDT 8DE21308 ZwAlpcConnectPort SSDT 8E616BC8 ZwAssignProcessToJobObject SSDT 8E605190 ZwCreateMutant SSDT 8E6168E8 ZwCreateSymbolicLinkObject SSDT 8DFB3218 ZwCreateThread SSDT 8E616CA8 ZwDebugActiveProcess SSDT 8E3A8DA8 ZwDuplicateObject SSDT 8E605EB0 ZwFreeVirtualMemory SSDT 8E605280 ZwImpersonateAnonymousToken SSDT 8E605360 ZwImpersonateThread SSDT 8DE212D0 ZwLoadDriver SSDT 8E605B50 ZwMapViewOfSection SSDT 8E6050B0 ZwOpenEvent SSDT 8DFB3100 ZwOpenProcess SSDT 8E3A8CC8 ZwOpenProcessToken SSDT 8E616ED0 ZwOpenSection SSDT 8DFB3030 ZwOpenThread SSDT 8E616AD8 ZwProtectVirtualMemory SSDT 8E605600 ZwResumeThread SSDT 8E6058A0 ZwSetContextThread SSDT 8E605980 ZwSetInformationProcess SSDT 8E616D88 ZwSetSystemInformation SSDT 8E616F90 ZwSuspendProcess SSDT 8E6056E0 ZwSuspendThread SSDT 8DFB32F8 ZwTerminateProcess SSDT 8E6057C0 ZwTerminateThread SSDT 8E605A70 ZwUnmapViewOfSection SSDT 8E605F80 ZwWriteVirtualMemory SSDT 8E6169D8 ZwCreateThreadEx ---- Kernel code sections - GMER 2.0 ---- .text ntoskrnl.exe!KeInsertQueue + 30D 86CBB944 8 Bytes [40, 54, 60, 8E, 20, 55, 60, ...] .text ntoskrnl.exe!KeInsertQueue + 321 86CBB958 4 Bytes [D8, 8B, 3A, 8E] .text ntoskrnl.exe!KeInsertQueue + 32D 86CBB964 4 Bytes [08, 13, E2, 8D] {OR [EBX], DL; LOOP 0xffffff91} .text ntoskrnl.exe!KeInsertQueue + 381 86CBB9B8 4 Bytes JMP E8378243 .text ntoskrnl.exe!KeInsertQueue + 3E5 86CBBA1C 4 Bytes [90, 51, 60, 8E] .text ... .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x9440F320, 0x3EEB57, 0xE8000020] .text C:\Program Files\CyberLink\PowerDVD9\000.fcl section is writeable [0xB18FA000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD9\000.fcl entry point in ".vmp2" section [0xB191D050] .text ntdll.dll!NtTerminateThread 77C95374 5 Bytes [E9, D3, AC, 38, 88] {JMP 0x8838acd8} ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0017004C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00190768 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00190210 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001905A0 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0019012C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0019084C .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001903D8 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00190048 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00190684 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001904BC .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001902F4 .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [9C, 89, EB, F9] {PUSHF ; MOV EBX, EBP; STC } .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[292] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00190930 .text C:\Program Files\Nero\Update\NASvc.exe[552] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Nero\Update\NASvc.exe[552] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00170930 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00170768 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00170210 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001705A0 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0017012C .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0017084C .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001703D8 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00170048 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00170684 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001704BC .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001702F4 .text C:\Program Files\Nero\Update\NASvc.exe[552] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [9A, 89, EB, F9] .text C:\Program Files\Internet Explorer\iexplore.exe[1332] kernel32.dll!CreateThread 778BCB0E 5 Bytes JMP 6EF175DB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!SetWindowsHookExW 777887AD 5 Bytes JMP 6EF525AC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CallNextHookEx 77788E3B 5 Bytes JMP 6EF77FDF C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!UnhookWindowsHookEx 777898DB 5 Bytes JMP 6EF9ED00 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!EnableWindow 7778CD8B 5 Bytes JMP 6EF59EB4 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DefWindowProcA 7778DB88 7 Bytes JMP 6EF19805 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CreateWindowExA 7778DC2A 5 Bytes JMP 6EF2363B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!CreateWindowExW 77791305 5 Bytes JMP 6EF803CF C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DefWindowProcW 777A03B4 7 Bytes JMP 6EF78042 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxParamW 777B10B0 5 Bytes JMP 6EEB1893 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamW 777B2EF5 5 Bytes JMP 6F0A8FB6 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxParamA 777C8152 5 Bytes JMP 6F0A8F51 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!DialogBoxIndirectParamA 777C847D 5 Bytes JMP 6F0A901B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxIndirectA 777DD4D9 5 Bytes JMP 6F0A8ED8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxIndirectW 777DD5D3 5 Bytes JMP 6F0A8E5F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxExA 777DD639 5 Bytes JMP 6F0A8DFB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] USER32.dll!MessageBoxExW 777DD65D 5 Bytes JMP 6F0A8D97 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1332] ole32.dll!OleLoadFromStream 775A1E80 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[1332] ole32.dll!OleLoadFromStream 775A1E80 5 Bytes JMP 6F0A9784 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0016004C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00220768 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00220210 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002205A0 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0022012C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0022084C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002203D8 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00220048 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00220684 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002204BC .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002202F4 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [A5, 89, EB, F9] {MOVSD ; MOV EBX, EBP; STC } .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1396] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00220930 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00170930 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00170768 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00170210 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001705A0 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0017012C .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0017084C .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001703D8 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00170048 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00170684 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001704BC .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001702F4 .text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1632] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [9A, 89, EB, F9] .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 002B0768 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 002B0210 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002B05A0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 002B012C .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 002B084C .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002B03D8 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 002B0048 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 002B0684 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002B04BC .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002B02F4 .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [AE, 89, EB, F9] {SCASB ; MOV EBX, EBP; STC } .text C:\Program Files\Bonjour\mDNSResponder.exe[2008] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 002B0930 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 003B0930 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 003B0768 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 003B0210 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 003B05A0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 003B012C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 003B084C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 003B03D8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 003B0048 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 003B0684 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 003B04BC .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 003B02F4 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe[2236] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [BE, 89, EB, F9] .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!EnableWindow 7778CD8B 5 Bytes JMP 6EF59EB4 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxParamW 777B10B0 5 Bytes JMP 6EEB1893 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxIndirectParamW 777B2EF5 5 Bytes JMP 6F0A8FB6 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxParamA 777C8152 5 Bytes JMP 6F0A8F51 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!DialogBoxIndirectParamA 777C847D 5 Bytes JMP 6F0A901B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxIndirectA 777DD4D9 5 Bytes JMP 6F0A8ED8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxIndirectW 777DD5D3 5 Bytes JMP 6F0A8E5F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxExA 777DD639 5 Bytes JMP 6F0A8DFB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2704] USER32.dll!MessageBoxExW 777DD65D 5 Bytes JMP 6F0A8D97 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00170930 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00170768 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00170210 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001705A0 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0017012C .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0017084C .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001703D8 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00170048 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00170684 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001704BC .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001702F4 .text C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe[2928] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [9A, 89, EB, F9] .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 001C0930 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 001C0768 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 001C0210 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001C05A0 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 001C012C .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 001C084C .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001C03D8 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 001C0048 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 001C0684 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001C04BC .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001C02F4 .text C:\Program Files\Samsung\Samsung Magic Doctor\MagicDoctorKbdHk.exe[2948] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [9F, 89, EB, F9] {LAHF ; MOV EBX, EBP; STC } .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0016004C .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00280768 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00280210 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002805A0 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0028012C .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0028084C .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002803D8 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00280048 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00280684 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002804BC .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002802F4 .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [AB, 89, EB, F9] {STOSD ; MOV EBX, EBP; STC } .text C:\Program Files\Samsung\EBM\EasyBatteryMgr3.exe[2984] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00280930 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00260930 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00260768 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00260210 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002605A0 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0026012C .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0026084C .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002603D8 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00260048 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00260684 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002604BC .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002602F4 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3400] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [A9, 89, EB, F9] .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00260930 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00260768 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00260210 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002605A0 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0026012C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0026084C .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002603D8 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00260048 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00260684 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002604BC .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002602F4 .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3412] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [A9, 89, EB, F9] .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 001C0930 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 001C0768 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 001C0210 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001C05A0 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 001C012C .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 001C084C .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001C03D8 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 001C0048 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 001C0684 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001C04BC .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001C02F4 .text C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe[3460] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [9F, 89, EB, F9] {LAHF ; MOV EBX, EBP; STC } .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00160930 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00160768 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00160210 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 001605A0 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0016012C .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0016084C .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 001603D8 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00160048 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00160684 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 001604BC .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 001602F4 .text C:\Program Files\CyberLink\Shared Files\brs.exe[3484] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [99, 89, EB, F9] {CDQ ; MOV EBX, EBP; STC } .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0017004C .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00230930 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00230768 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00230210 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002305A0 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0023012C .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0023084C .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002303D8 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00230048 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00230684 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002304BC .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002302F4 .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3512] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [A6, 89, EB, F9] {CMPSB ; MOV EBX, EBP; STC } .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 001F004C .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 003E0768 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 003E0210 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 003E05A0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 003E012C .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 003E084C .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 003E03D8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 003E0048 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 003E0684 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 003E04BC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 003E02F4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [C1, 89, EB, F9] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3548] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 003E0930 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 001A004C .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 003C0768 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 003C0210 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 003C05A0 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 003C012C .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 003C084C .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 003C03D8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 003C0048 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 003C0684 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 003C04BC .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 003C02F4 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [BF, 89, EB, F9] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[3784] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 003C0930 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ntdll.dll!NtTerminateThread 77C95374 5 Bytes JMP 0002004C .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!OpenSCManagerA + 125 76762EB8 7 Bytes JMP 00220768 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!CloseServiceHandle + AA 7676834F 7 Bytes JMP 00220210 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!AreAllAccessesGranted + 3FD 76789EAF 7 Bytes JMP 002205A0 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!CreateServiceW + FF 76789FB3 7 Bytes JMP 0022012C .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!ControlService + C1 7678A079 7 Bytes JMP 0022084C .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!I_ScGetCurrentGroupStateW + 8F 767C6629 7 Bytes JMP 002203D8 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!ControlServiceExA + 10E 767C673C 7 Bytes JMP 00220048 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!SetServiceObjectSecurity + FB 767C6DD4 7 Bytes JMP 00220684 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!ChangeServiceConfigA + 1A3 767C6F7C 7 Bytes JMP 002204BC .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!ChangeServiceConfig2W + BB 767C729C 2 Bytes JMP 002202F4 .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] ADVAPI32.dll!ChangeServiceConfig2W + BE 767C729F 4 Bytes [A5, 89, EB, F9] {MOVSD ; MOV EBX, EBP; STC } .text C:\Users\Danusia i Dominik\Desktop\rmxmfb4o.exe[4608] USER32.dll!RecordShutdownReason + 36A 777CB7BE 7 Bytes JMP 00220930 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74757817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7479B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7475BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7474F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7474E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [747873F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7475DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7474FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7474FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [747DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7477C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7474D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74746853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7474687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74752AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6EE2F3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cd3e0d6 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cd65b4f Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cd6642e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002269c9e68c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002269c9e68c@001e450296a3 0x0D 0x9F 0x95 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002269c9e68c@0017e370c3ca 0x16 0x15 0xD3 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x98 0x48 0x03 0x0B ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cd3e0d6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cd65b4f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cd6642e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002269c9e68c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002269c9e68c@001e450296a3 0x0D 0x9F 0x95 0x15 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002269c9e68c@0017e370c3ca 0x16 0x15 0xD3 0x11 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x98 0x48 0x03 0x0B ... ---- Files - GMER 2.0 ---- File C:\Users\Danusia i Dominik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3XTPOZLN\google_pl[1].htm 78381 bytes File C:\Users\Danusia i Dominik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IE050HX3\-PAXP-deijE[1].gif 43 bytes File C:\Users\Danusia i Dominik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IE050HX3\161347_100001912617925_3688287_q[1].jpg 2528 bytes File C:\Users\Danusia i Dominik\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S42D3LMV\P5BidgqRQSy[1].js 52084 bytes ---- EOF - GMER 2.0 ----