Pierre94 0 Denunciar post Postado Junho 2, 2012 Pessoal! Estou com aquele problema do acento duplo, ex: caminh~~ao. Pelo que eu li, deve ser um keylogger, certo? Me ajudem a remove-lo, por favor! OBS: eu uso Windows 7. Meu antivirus e'' o Avast, j''a fiz varios scans e achei varias infeccoes, mas o problema persiste. Por isso aqui vao os logs do Hijackthis e do GMER: Hijackthis primeiro: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 14:07:00, on 02/06/2012 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v9.00 (9.00.8112.16421) Boot mode: Normal Running processes: C:\Windows\System32\smss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\csrss.exe C:\Windows\system32\wininit.exe C:\Windows\system32\winlogon.exe C:\Windows\system32\services.exe C:\Windows\system32\lsass.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\svchost.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\AVAST Software\Avast\AvastUI.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe C:\Windows\system32\taskhost.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\rundll32.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\System32\osk.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Mauro\Downloads\HijackThis.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [uCam_Menu] "MUITransfer\MUIStartMenu.exe" "" update "Software\CyberLink\YouCam\1.0" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE') O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000 O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{76041842-E583-4341-A13C-CFE507746F29}: NameServer = 200.222.123.102 200.165.132.155 O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- End of file - 8596 bytes Agora o GMER: GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-02 13:43:57 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HTS542525K9SA00 rev.BBFOC32P Running: gmer.exe; Driver: C:\Users\Mauro\AppData\Local\Temp\ugloypob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8DC3DDF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8D72AA5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8DC3E85E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8DC432E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8DC43330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8DC43422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8DC43252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8DC43374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8DC4329A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8DC433DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8DC3DE44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8D72AB34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8DC3DAD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8DC3DE90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8DC40D1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8DC3EB02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8DC4330E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8DC43352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8DC43446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8DC43278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8DC433AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8DC432C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8DC43400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8D72ACA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8DC3E9CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8DC3DEDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8DC3DF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8DC3DB46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8DC3DCEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8DC3DC92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8DC3DD5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8D72AD60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8DC3DF74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8D72ABE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D740D92] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A5D3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A96D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A9DD80 4 Bytes [F8, DD, C3, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A9DDA8 4 Bytes [5A, AA, 72, 8D] {POP EDX; STOSB ; JB 0xffffffffffffff91} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A9DE08 4 Bytes [5E, E8, C3, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A9DE5C 8 Bytes [E4, 32, C4, 8D, 30, 33, C4, ...] {IN AL, 0x32; LES ECX, DWORD [EBP-0x723bccd0]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A9DE68 4 Bytes [22, 34, C4, 8D] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C2AC64 5 Bytes JMP 8D73DC8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82C43290 5 Bytes JMP 8D73F764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C583D7 4 Bytes CALL 8DC3F1B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C721E0 4 Bytes CALL 8DC3F1CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CFC11A 7 Bytes JMP 8D740D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F826360, 0x35B0A2, 0xE8000020] .text ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes [EB, 01, C3, E9, 4C, 53, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff94935354} .text ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes [EB, 01, C3, E9, 80, EF, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff9493ef88} .text ntdll.dll!NtResumeThread 777664A8 8 Bytes [EB, 01, C3, E9, AC, FD, 94, ...] {JMP 0x3; RET ; JMP 0xffffffff9494fdb4} .text ntdll.dll!NtSetInformationFile 77766638 8 Bytes [EB, 01, C3, E9, 76, 43, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff9493437e} .text ntdll.dll!NtVdmControl 777669C8 8 Bytes [EB, 01, C3, E9, 06, E6, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff9493e60e} .text ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes [E9, 89, 3B, 9E, 88] {JMP 0xffffffff889e3b8e} .text ntdll.dll!LdrLoadDll 7778223E 5 Bytes [E9, B5, DF, 9D, 88] {JMP 0xffffffff889ddfba} ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1500] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00090A08 .text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 000903FC .text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00090804 .text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 000901F8 .text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00090600 .text C:\Windows\System32\spoolsv.exe[1500] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\System32\spoolsv.exe[1500] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\System32\spoolsv.exe[1500] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1536] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1536] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1536] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00110A08 .text C:\Windows\system32\svchost.exe[1536] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001103FC .text C:\Windows\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00110804 .text C:\Windows\system32\svchost.exe[1536] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001101F8 .text C:\Windows\system32\svchost.exe[1536] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00110600 .text C:\Windows\system32\svchost.exe[1536] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\svchost.exe[1536] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\svchost.exe[1536] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1760] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1760] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1760] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\svchost.exe[1760] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001E03FC .text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\svchost.exe[1760] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 001E0600 .text C:\Windows\system32\svchost.exe[1760] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\svchost.exe[1760] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\svchost.exe[1760] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1844] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\svchost.exe[1844] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\svchost.exe[1844] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001F03FC .text C:\Windows\system32\svchost.exe[1844] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\svchost.exe[1844] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\svchost.exe[1844] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\svchost.exe[1844] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\svchost.exe[1844] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\svchost.exe[1844] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2112] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2112] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskhost.exe[2112] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 000703FC .text C:\Windows\system32\taskhost.exe[2112] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00070804 .text C:\Windows\system32\taskhost.exe[2112] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskhost.exe[2112] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\taskhost.exe[2112] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00070600 .text C:\Windows\system32\taskhost.exe[2112] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\taskhost.exe[2112] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\taskhost.exe[2112] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[2184] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2184] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00080A08 .text C:\Windows\system32\Dwm.exe[2184] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 000803FC .text C:\Windows\system32\Dwm.exe[2184] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00080804 .text C:\Windows\system32\Dwm.exe[2184] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 000801F8 .text C:\Windows\system32\Dwm.exe[2184] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\Dwm.exe[2184] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00080600 .text C:\Windows\system32\Dwm.exe[2184] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\Dwm.exe[2184] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\Dwm.exe[2184] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0C09AC69 .text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C0A4F1D .text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C0B6259 .text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0C09A9B3 .text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C0A4FD3 .text C:\Windows\Explorer.EXE[2212] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\Explorer.EXE[2212] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\Explorer.EXE[2212] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\Explorer.EXE[2212] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C0ADA20 .text C:\Windows\Explorer.EXE[2212] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 001A0A08 .text C:\Windows\Explorer.EXE[2212] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001A03FC .text C:\Windows\Explorer.EXE[2212] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 001A0804 .text C:\Windows\Explorer.EXE[2212] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001A01F8 .text C:\Windows\Explorer.EXE[2212] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0C09C47C .text C:\Windows\Explorer.EXE[2212] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 001A0600 .text C:\Windows\Explorer.EXE[2212] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C0A0AFF .text C:\Windows\Explorer.EXE[2212] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C0AAA19 .text C:\Windows\Explorer.EXE[2212] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C0B2D48 .text C:\Windows\Explorer.EXE[2212] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C0B2BEA .text C:\Windows\Explorer.EXE[2212] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C0B2A8C .text C:\Windows\Explorer.EXE[2212] WS2_32.dll!send 76056F01 8 Bytes JMP 0C0AE35A .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2392] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2392] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2392] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\svchost.exe[2392] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00210A08 .text C:\Windows\system32\svchost.exe[2392] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 002103FC .text C:\Windows\system32\svchost.exe[2392] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00210804 .text C:\Windows\system32\svchost.exe[2392] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 002101F8 .text C:\Windows\system32\svchost.exe[2392] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\svchost.exe[2392] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00210600 .text C:\Windows\system32\svchost.exe[2392] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\svchost.exe[2392] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2684] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2684] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\rundll32.exe[2684] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC .text C:\Windows\System32\rundll32.exe[2684] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\rundll32.exe[2684] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\rundll32.exe[2684] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\System32\rundll32.exe[2684] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600 .text C:\Windows\System32\rundll32.exe[2684] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\System32\rundll32.exe[2684] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\System32\rundll32.exe[2684] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2848] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2848] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00110A08 .text C:\Windows\System32\rundll32.exe[2848] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001103FC .text C:\Windows\System32\rundll32.exe[2848] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00110804 .text C:\Windows\System32\rundll32.exe[2848] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001101F8 .text C:\Windows\System32\rundll32.exe[2848] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\System32\rundll32.exe[2848] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00110600 .text C:\Windows\System32\rundll32.exe[2848] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\System32\rundll32.exe[2848] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\System32\rundll32.exe[2848] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\rundll32.exe[2868] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[2868] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\rundll32.exe[2868] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001403FC .text C:\Windows\System32\rundll32.exe[2868] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\rundll32.exe[2868] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\rundll32.exe[2868] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\System32\rundll32.exe[2868] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00140600 .text C:\Windows\System32\rundll32.exe[2868] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\System32\rundll32.exe[2868] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\System32\rundll32.exe[2868] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 001703FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 001701F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00210A08 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 002103FC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00210804 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 002101F8 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00210600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2960] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[2996] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3188] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3188] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\SearchIndexer.exe[3188] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\system32\SearchIndexer.exe[3188] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\System32\svchost.exe[3352] ntdll.dll!NtClose 777654C8 5 Bytes JMP 001603B2 .text C:\Windows\System32\svchost.exe[3352] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[3352] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[3352] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0C09AC69 .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C0A4F1D .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C0B6259 .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0C09A9B3 .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C0A4FD3 .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\NOTEPAD.EXE[3816] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\system32\NOTEPAD.EXE[3816] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C0ADA20 .text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001403FC .text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0C09C47C .text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\NOTEPAD.EXE[3816] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C0A0AFF .text C:\Windows\system32\NOTEPAD.EXE[3816] WS2_32.dll!send 76056F01 8 Bytes JMP 0C0AE35A .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C0AE37C .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C0AAA19 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C0AA4C4 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C0B1409 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0C09CA84 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C0B1319 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C0B1523 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C0B2D48 .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C0AA3AF .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C0B2BEA .text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C0B2A8C .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0C09AC69 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C0A4F1D .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C0B6259 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0C09A9B3 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C0A4FD3 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 001603FC .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 001601F8 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C0A0AFF .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WS2_32.dll!send 76056F01 8 Bytes JMP 0C0AE35A .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C0AE37C .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C0AAA19 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C0AA4C4 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C0B1409 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0C09CA84 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C0B1319 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C0B1523 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C0B2D48 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C0AA3AF .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C0B2BEA .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C0B2A8C .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00320A08 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 003203FC .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00320804 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 003201F8 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0C09C47C .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00320600 .text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C0ADA20 .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69 .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259 .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3 .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3 .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[4884] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[4884] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[4884] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20 .text C:\Windows\System32\svchost.exe[4884] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00270A08 .text C:\Windows\System32\svchost.exe[4884] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 002703FC .text C:\Windows\System32\svchost.exe[4884] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00270804 .text C:\Windows\System32\svchost.exe[4884] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 002701F8 .text C:\Windows\System32\svchost.exe[4884] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C .text C:\Windows\System32\svchost.exe[4884] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00270600 .text C:\Windows\System32\svchost.exe[4884] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF .text C:\Windows\System32\svchost.exe[4884] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A .text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C .text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48 .text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF .text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA .text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2960] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71BFF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2732 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@YI9B2F0F2EXHWC2I C:\systemhost\24FC2AE34DD.exe ---- Files - GMER 1.0.15 ---- File C:\systemhost 0 bytes File C:\systemhost\00B32D30F47CBC7 65475 bytes File C:\systemhost\24FC2AE34DD.exe 292352 bytes executable ---- EOF - GMER 1.0.15 ---- Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 2, 2012 Olá Pierre94 *Instale o MalwareBytes *Aguarde a atualização e o programa será aberto automaticamente *Selecione [Verificação completa] *Clique [Verificar] e selecione a partição onde o Windows está instalado ( C:\ ) *Clique [Verificar] *Ao término, clique [OK] > [Ver Resultados] > [Remover Selecionados] *Cole o relatório apresentado Compartilhar este post Link para o post Compartilhar em outros sites
wings 22 Denunciar post Postado Junho 12, 2012 Tópico Arquivado Como o autor não respondeu por mais de 10 dias, o tópico foi arquivado. Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura. Compartilhar este post Link para o post Compartilhar em outros sites