GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-29 09:28:58 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\00000025 SAMSUNG_SP2514N rev.VF100-41 Running: 45cqxkf7.exe; Driver: C:\DOCUME~1\once.DOM\USTAWI~1\Temp\pgtdapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB1075CB2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB107E8BC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB107E774] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB107ED7A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB107EC90] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB107E348] SSDT spxm.sys ZwEnumerateKey [0xB7EC6CA2] SSDT spxm.sys ZwEnumerateValueKey [0xB7EC7030] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB1075D62] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB107E850] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB107E284] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB107E2EA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB1075DFA] SSDT spxm.sys ZwQueryKey [0xB7EC7108] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB107E994] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB107EE48] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB107E952] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB107EAD6] INT 0x62 ? 8AA5CBF8 INT 0x63 ? 8A8B8F00 INT 0x73 ? 8AAC9BF8 INT 0x83 ? 8AAC9BF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB108B902] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB108B726] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB108B860] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 23E8 80501C20 4 Bytes [BC, E8, 07, B1] .text ntkrnlpa.exe!ZwCallbackReturn + 2560 80501D98 4 Bytes [50, E8, 07, B1] .text ntkrnlpa.exe!ZwCallbackReturn + 2584 80501DBC 4 Bytes JMP 84B107E2 .text ntkrnlpa.exe!ZwCallbackReturn + 2648 80501E80 4 Bytes [94, E9, 07, B1] .text ntkrnlpa.exe!ZwCallbackReturn + 26B4 80501EEC 4 Bytes [52, E9, 07, B1] .text ... PAGE ntkrnlpa.exe!ZwLoadDriver 8057969A 7 Bytes JMP B108B864 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!NtCreateSection 805A0816 7 Bytes JMP B108B72A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1DB4 2 Bytes JMP B10872BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject + 3 805B1DB7 2 Bytes [AD, 30] PAGE ntkrnlpa.exe!ObInsertObject 805B8C2C 5 Bytes JMP B1088D5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C74CC 7 Bytes JMP B108B906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? spxm.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B79998AC 5 Bytes JMP 8A8B84E0 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6E56380, 0x5414D5, 0xE8000020] .text a3jl5edu.SYS B6CE0386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a3jl5edu.SYS B6CE03AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a3jl5edu.SYS B6CE03C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text a3jl5edu.SYS B6CE03C9 1 Byte [2E] .text a3jl5edu.SYS B6CE03C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...] .text ... init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB3C01A00] ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0013BE51 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0013C031 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0013C0D3 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 0013661B .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 0013659D .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 0013D1EC .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 001365DC .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 0014147B .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 001414CB .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 001413DC .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 0013BB14 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 0013BBAE .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 0013B7A2 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 0013B7F2 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 0013B89C .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 001414A3 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 0013BC00 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 0013B810 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00136492 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00136502 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 001412AE .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 0014127C .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 0013BA46 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 001414F6 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 0013665B .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 0013BA8F .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 0013B856 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00141332 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 0014138C .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00136542 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 0013BB61 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 001366EE .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 0013B928 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 0013B9BA .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 0013D352 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 0013B8E2 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 0013B971 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 0013BA00 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 001412F5 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00137E96 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WS2_32.dll!send 71A54C27 5 Bytes JMP 00137ECE .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00137EEF .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 0013543B .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 001379C9 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 0013783D .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00137AC1 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00137A0C .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00137891 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00137A95 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00137A4B .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 001377E9 .text C:\Documents and Settings\once.DOM\Pulpit\Czyszczenie\45cqxkf7.exe[304] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 0013792D .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0013BE51 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0013C031 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0013C0D3 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00137E96 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WS2_32.dll!send 71A54C27 5 Bytes JMP 00137ECE .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00137EEF .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 0013661B .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 0013659D .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 0013D1EC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 001365DC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 0014147B .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 001414CB .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 001413DC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 0013BB14 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 0013BBAE .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 0013B7A2 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 0013B7F2 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 0013B89C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 001414A3 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 0013BC00 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 0013B810 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00136492 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00136502 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 001412AE .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 0014127C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 0013BA46 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 001414F6 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 0013665B .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 0013BA8F .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 0013B856 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00141332 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 0014138C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00136542 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 0013BB61 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 001366EE .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 0013B928 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 0013B9BA .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 0013D352 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 0013B8E2 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 0013B971 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 0013BA00 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 001412F5 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 0013543B .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 001379C9 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 0013783D .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00137AC1 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00137A0C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00137891 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00137A95 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00137A4B .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 001377E9 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[956] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 0013792D .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0013BE51 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0013C031 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0013C0D3 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 0013543B .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 0013661B .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 0013659D .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 0013D1EC .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 001365DC .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 0014147B .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 001414CB .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 001413DC .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 0013BB14 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 0013BBAE .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 0013B7A2 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 0013B7F2 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 0013B89C .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 001414A3 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 0013BC00 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 0013B810 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00136492 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00136502 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 001412AE .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 0014127C .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 0013BA46 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 001414F6 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 0013665B .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 0013BA8F .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 0013B856 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00141332 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 0014138C .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00136542 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 0013BB61 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 001366EE .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 0013B928 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 0013B9BA .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 0013D352 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 0013B8E2 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 0013B971 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 0013BA00 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 001412F5 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 001379C9 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 0013783D .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00137AC1 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00137A0C .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00137891 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00137A95 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00137A4B .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 001377E9 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 0013792D .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00137E96 .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WS2_32.dll!send 71A54C27 5 Bytes JMP 00137ECE .text C:\Program Files\Java\jre6\bin\jucheck.exe[996] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00137EEF .text C:\WINDOWS\system32\wuauclt.exe[1052] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00EBBE51 .text C:\WINDOWS\system32\wuauclt.exe[1052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00EBC031 .text C:\WINDOWS\system32\wuauclt.exe[1052] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1052] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC .text C:\WINDOWS\system32\wuauclt.exe[1052] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00EBC0D3 .text C:\WINDOWS\system32\wuauclt.exe[1052] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00381014 .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00380804 .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00380A08 .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00380C0C .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00380E10 .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 003801F8 .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003803FC .text C:\WINDOWS\system32\wuauclt.exe[1052] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00380600 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 00EB661B .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 00EB659D .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 00EBD1EC .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 00EB65DC .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 00EC147B .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 00EC14CB .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 00EC13DC .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 00EBBB14 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 00EBBBAE .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 00EBB7A2 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 00EBB7F2 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 00EBB89C .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 00EC14A3 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 00EBBC00 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00390804 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 00EBB810 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00EB6492 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00EB6502 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 00EC12AE .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 00EC127C .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 00EBBA46 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 00EC14F6 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 00EB665B .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 00EBBA8F .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 00EBB856 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00EC1332 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 00EC138C .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00EB6542 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 00390A08 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 00EBBB61 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 00EB66EE .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 00EBB928 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 00EBB9BA .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 00EBD352 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 00390600 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 003901F8 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!UnhookWinEvent 7E3818AC 3 Bytes JMP 003903FC .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!UnhookWinEvent + 4 7E3818B0 1 Byte [82] .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 00EBB8E2 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 00EBB971 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 00EBBA00 .text C:\WINDOWS\system32\wuauclt.exe[1052] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 00EC12F5 .text C:\WINDOWS\system32\wuauclt.exe[1052] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 00EB543B .text C:\WINDOWS\system32\wuauclt.exe[1052] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00EB7E96 .text C:\WINDOWS\system32\wuauclt.exe[1052] WS2_32.dll!send 71A54C27 5 Bytes JMP 00EB7ECE .text C:\WINDOWS\system32\wuauclt.exe[1052] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00EB7EEF .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 00EB79C9 .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 00EB783D .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00EB7AC1 .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00EB7A0C .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00EB7891 .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00EB7A95 .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00EB7A4B .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 00EB77E9 .text C:\WINDOWS\system32\wuauclt.exe[1052] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 00EB792D .text C:\WINDOWS\Explorer.EXE[1392] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00ADBE51 .text C:\WINDOWS\Explorer.EXE[1392] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00ADC031 .text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00ADC0D3 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 00AD661B .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 00AD659D .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 00ADD1EC .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 00AD65DC .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 00AE147B .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 00AE14CB .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 00AE13DC .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 00ADBB14 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 00ADBBAE .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 00ADB7A2 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 00ADB7F2 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 00ADB89C .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 00AE14A3 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 00ADBC00 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 00ADB810 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00AD6492 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00AD6502 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 00AE12AE .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 00AE127C .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 00ADBA46 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 00AE14F6 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 00AD665B .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 00ADBA8F .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 00ADB856 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00AE1332 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 00AE138C .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00AD6542 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 00ADBB61 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 00AD66EE .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 00ADB928 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 00ADB9BA .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 00ADD352 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 00ADB8E2 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 00ADB971 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 00ADBA00 .text C:\WINDOWS\Explorer.EXE[1392] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 00AE12F5 .text C:\WINDOWS\Explorer.EXE[1392] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 00AD543B .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 00AD79C9 .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 00AD783D .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00AD7AC1 .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00AD7A0C .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00AD7891 .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00AD7A95 .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00AD7A4B .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 00AD77E9 .text C:\WINDOWS\Explorer.EXE[1392] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 00AD792D .text C:\WINDOWS\Explorer.EXE[1392] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00AD7E96 .text C:\WINDOWS\Explorer.EXE[1392] WS2_32.dll!send 71A54C27 5 Bytes JMP 00AD7ECE .text C:\WINDOWS\Explorer.EXE[1392] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00AD7EEF .text C:\WINDOWS\system32\wuauclt.exe[1852] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1852] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2724] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2724] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2724] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0013BE51 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0013C031 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0013C0D3 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00137E96 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WS2_32.dll!send 71A54C27 5 Bytes JMP 00137ECE .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00137EEF .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 0013661B .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 0013659D .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 0013D1EC .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 001365DC .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 0014147B .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 001414CB .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 001413DC .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 0013BB14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 0013BBAE .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 0013B7A2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 0013B7F2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 0013B89C .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 001414A3 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 0013BC00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 0013B810 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00136492 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00136502 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 001412AE .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 0014127C .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 0013BA46 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 001414F6 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 0013665B .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 0013BA8F .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 0013B856 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00141332 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 0014138C .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00136542 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 0013BB61 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 001366EE .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 0013B928 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 0013B9BA .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 0013D352 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 0013B8E2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 0013B971 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 0013BA00 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 001412F5 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 001379C9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 0013783D .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00137AC1 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00137A0C .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00137891 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00137A95 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00137A4B .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 001377E9 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 0013792D .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2788] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 0013543B .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 0013BE51 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0013C031 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 0013C0D3 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00137E96 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WS2_32.dll!send 71A54C27 5 Bytes JMP 00137ECE .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00137EEF .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 0013661B .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 0013659D .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 0013D1EC .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 001365DC .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 0014147B .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 001414CB .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 001413DC .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 0013BB14 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 0013BBAE .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 0013B7A2 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 0013B7F2 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 0013B89C .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 001414A3 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 0013BC00 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 0013B810 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00136492 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00136502 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 001412AE .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 0014127C .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 0013BA46 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 001414F6 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 0013665B .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 0013BA8F .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 0013B856 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00141332 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 0014138C .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00136542 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 0013BB61 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 001366EE .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 0013B928 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 0013B9BA .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 0013D352 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 0013B8E2 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 0013B971 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 0013BA00 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 001412F5 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 0013543B .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 001379C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 0013783D .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00137AC1 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00137A0C .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00137891 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00137A95 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00137A4B .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 001377E9 .text C:\Program Files\Mozilla Firefox\firefox.exe[3504] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 0013792D .text C:\WINDOWS\system32\wscntfy.exe[3760] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00B0BE51 .text C:\WINDOWS\system32\wscntfy.exe[3760] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00B0C031 .text C:\WINDOWS\system32\wscntfy.exe[3760] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[3760] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 00B0C0D3 .text C:\WINDOWS\system32\wscntfy.exe[3760] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!ReleaseDC 7E36869D 5 Bytes JMP 00B0661B .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetDC 7E3686C7 5 Bytes JMP 00B0659D .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!TranslateMessage 7E368BF6 5 Bytes JMP 00B0D1EC .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetWindowDC 7E369021 5 Bytes JMP 00B065DC .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetMessageW 7E3691C6 5 Bytes JMP 00B1147B .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!PeekMessageW 7E36929B 5 Bytes JMP 00B114CB .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetCapture 7E3694DA 5 Bytes JMP 00B113DC .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!RegisterClassW 7E36A39A 5 Bytes JMP 00B0BB14 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!RegisterClassExW 7E36AF7F 5 Bytes JMP 00B0BBAE .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!OpenInputDesktop 7E36ECA3 5 Bytes JMP 00B0B7A2 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!SwitchDesktop 7E36FE6E 5 Bytes JMP 00B0B7F2 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefDlgProcW 7E373D3A 5 Bytes JMP 00B0B89C .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetMessageA 7E37772B 5 Bytes JMP 00B114A3 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!RegisterClassExA 7E377C39 5 Bytes JMP 00B0BC00 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefWindowProcW 7E378D20 5 Bytes JMP 00B0B810 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!BeginPaint 7E378FE9 5 Bytes JMP 00B06492 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!EndPaint 7E378FFD 5 Bytes JMP 00B06502 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 00B112AE .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetMessagePos 7E37996C 5 Bytes JMP 00B1127C .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!CallWindowProcW 7E37A01E 5 Bytes JMP 00B0BA46 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!PeekMessageA 7E37A340 5 Bytes JMP 00B114F6 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetUpdateRect 7E37A8C9 5 Bytes JMP 00B0665B .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!CallWindowProcA 7E37A97D 5 Bytes JMP 00B0BA8F .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefWindowProcA 7E37C17E 5 Bytes JMP 00B0B856 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!SetCapture 7E37C35E 5 Bytes JMP 00B11332 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!ReleaseCapture 7E37C37A 1 Byte [E9] .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!ReleaseCapture 7E37C37A 5 Bytes JMP 00B1138C .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetDCEx 7E37C595 5 Bytes JMP 00B06542 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!RegisterClassA 7E37EA5E 5 Bytes JMP 00B0BB61 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetUpdateRgn 7E37F5EC 5 Bytes JMP 00B066EE .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefFrameProcW 7E380833 5 Bytes JMP 00B0B928 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefMDIChildProcW 7E380A47 5 Bytes JMP 00B0B9BA .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!GetClipboardData 7E380DBA 5 Bytes JMP 00B0D352 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefDlgProcA 7E38E577 5 Bytes JMP 00B0B8E2 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefFrameProcA 7E39F965 5 Bytes JMP 00B0B971 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!DefMDIChildProcA 7E39F9B4 5 Bytes JMP 00B0BA00 .text C:\WINDOWS\system32\wscntfy.exe[3760] USER32.dll!SetCursorPos 7E3A61B3 5 Bytes JMP 00B112F5 .text C:\WINDOWS\system32\wscntfy.exe[3760] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00B07E96 .text C:\WINDOWS\system32\wscntfy.exe[3760] WS2_32.dll!send 71A54C27 5 Bytes JMP 00B07ECE .text C:\WINDOWS\system32\wscntfy.exe[3760] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00B07EEF .text C:\WINDOWS\system32\wscntfy.exe[3760] CRYPT32.dll!PFXImportCertStore 77ADFF8F 5 Bytes JMP 00B0543B .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!InternetCloseHandle 771B4DA4 5 Bytes JMP 00B079C9 .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!HttpSendRequestA 771B60B9 5 Bytes JMP 00B0783D .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!HttpQueryInfoA 771B79DA 5 Bytes JMP 00B07AC1 .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!InternetReadFile 771B8302 5 Bytes JMP 00B07A0C .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!HttpSendRequestExW 771BEA11 5 Bytes JMP 00B07891 .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!InternetQueryDataAvailable 771C8A77 5 Bytes JMP 00B07A95 .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!InternetReadFileExA 771E9380 5 Bytes JMP 00B07A4B .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!HttpSendRequestW 77203254 5 Bytes JMP 00B077E9 .text C:\WINDOWS\system32\wscntfy.exe[3760] WININET.dll!HttpSendRequestExA 77203359 5 Bytes JMP 00B0792D ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spxm.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spxm.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spxm.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spxm.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spxm.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spxm.sys IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!KfAcquireSpinLock] 8BEC8B55 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!READ_PORT_UCHAR] 00C73445 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!KeGetCurrentIrql] 00000000 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!KfRaiseIrql] 830C458B IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!KfLowerIrql] C0840CEC IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!HalGetInterruptVector] 053C0D74 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!HalTranslateBusAddress] 57B80974 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!KeStallExecutionProcessor] 8B000000 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!KfReleaseSpinLock] 56C35DE5 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D08758B IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!READ_PORT_USHORT] 8D51FC4D IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8D52FD55 IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[HAL.dll!WRITE_PORT_UCHAR] 8D51FE4D IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[WMILIB.SYS!WmiSystemControl] 8D51F84D IAT \SystemRoot\System32\Drivers\a3jl5edu.SYS[WMILIB.SYS!WmiCompleteRequest] 5052F455 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\winlogon.exe[628] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtLockProductActivationKeys] [0500073E] C:\WINDOWS\system32\antiwpa.dll IAT C:\WINDOWS\system32\winlogon.exe[628] @ C:\WINDOWS\system32\winlogon.exe [USER32.dll!GetSystemMetrics] [05000756] C:\WINDOWS\system32\antiwpa.dll IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00040002 IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00040000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 8AAC81F8 Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Fastfat \FatCdrom 8A32C500 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbohci \Device\USBPDO-0 8A8B9500 Device \Driver\usbehci \Device\USBPDO-1 8A8BB500 Device \Driver\PCI_PNP9386 \Device\00000039 spxm.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\USBSTOR \Device\00000063 8A327500 Device \Driver\Ftdisk \Device\HarddiskVolume1 8AACA1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AACA1F8 Device \Driver\USBSTOR \Device\00000065 8A327500 Device \Driver\Cdrom \Device\CdRom0 8A8D71F8 Device \Driver\atapi \Device\Ide\IdePort0 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8AACA1F8 Device \Driver\Cdrom \Device\CdRom1 8A8D71F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 8AACA1F8 Device \Driver\Ftdisk \Device\HarddiskVolume5 8AACA1F8 Device \Driver\sptd \Device\2957444386 spxm.sys Device \Driver\NetBT \Device\NetBt_Wins_Export 8A80C1F8 Device \Driver\NetBT \Device\NetbiosSmb 8A80C1F8 Device \Driver\nvata \Device\0000005a 8AAC91F8 Device \Driver\nvata \Device\0000005b 8AAC91F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{6D8FF944-6951-4F7F-8515-9A34F1F171BE} 8A80C1F8 Device \Driver\usbohci \Device\USBFDO-0 8A8B9500 Device \Driver\usbehci \Device\USBFDO-1 8A8BB500 Device \Driver\nvata \Device\NvAta0 8AAC91F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A442500 Device \Driver\nvata \Device\NvAta1 8AAC91F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A442500 Device \Driver\Ftdisk \Device\FtControl 8AACA1F8 Device \Driver\a3jl5edu \Device\Scsi\a3jl5edu1 8A25B1F8 Device \Driver\a3jl5edu \Device\Scsi\a3jl5edu1Port4Path0Target0Lun0 8A25B1F8 Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Fastfat \Fat 8A32C500 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8A369500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5B 0x69 0x5B 0x52 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6C 0x47 0x38 0x5A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC2 0x9A 0xD1 0xEA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5B 0x69 0x5B 0x52 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6C 0x47 0x38 0x5A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC2 0x9A 0xD1 0xEA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5B 0x69 0x5B 0x52 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6C 0x47 0x38 0x5A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC2 0x9A 0xD1 0xEA ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 MBR read error Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0 ---- EOF - GMER 1.0.15 ----