Ir para conteúdo

POWERED BY:

Arquivado

Este tópico foi arquivado e está fechado para novas respostas.

Pierre94

[Arquivado] Virus do acento duplo ~~ ^^

Recommended Posts

Pessoal!

Estou com aquele problema do acento duplo, ex: caminh~~ao.

Pelo que eu li, deve ser um keylogger, certo?

Me ajudem a remove-lo, por favor!

OBS: eu uso Windows 7. Meu antivirus e'' o Avast, j''a fiz varios scans e achei varias infeccoes, mas o problema persiste.

Por isso aqui vao os logs do Hijackthis e do GMER:

 

Hijackthis primeiro:

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:07:00, on 02/06/2012

Platform: Windows 7 SP1 (WinNT 6.00.3505)

MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Windows\System32\osk.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Users\Mauro\Downloads\HijackThis.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office14\GROOVEEX.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~4\Office14\URLREDIR.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [bCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [uCam_Menu] "MUITransfer\MUIStartMenu.exe" "" update "Software\CyberLink\YouCam\1.0"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'SERVIÇO DE REDE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'SERVIÇO DE REDE')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll

O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{76041842-E583-4341-A13C-CFE507746F29}: NameServer = 200.222.123.102 200.165.132.155

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Serviço do Google Update (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

 

--

End of file - 8596 bytes

 

 

Agora o GMER:

 

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-06-02 13:43:57

Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HTS542525K9SA00 rev.BBFOC32P

Running: gmer.exe; Driver: C:\Users\Mauro\AppData\Local\Temp\ugloypob.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8DC3DDF8]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8D72AA5A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8DC3E85E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8DC432E4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8DC43330]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8DC43422]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8DC43252]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8DC43374]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8DC4329A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8DC433DC]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8DC3DE44]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8D72AB34]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8DC3DAD6]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8DC3DE90]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8DC40D1C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8DC3EB02]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8DC4330E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8DC43352]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8DC43446]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8DC43278]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8DC433AE]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8DC432C2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8DC43400]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8D72ACA0]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8DC3E9CE]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8DC3DEDC]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8DC3DF28]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8DC3DB46]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8DC3DCEA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8DC3DC92]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8DC3DD5A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8D72AD60]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8DC3DF74]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8D72ABE0]

 

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8D740D92]

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A5D3C9 1 Byte [06]

.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A96D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A9DD80 4 Bytes [F8, DD, C3, 8D]

.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A9DDA8 4 Bytes [5A, AA, 72, 8D] {POP EDX; STOSB ; JB 0xffffffffffffff91}

.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A9DE08 4 Bytes [5E, E8, C3, 8D]

.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A9DE5C 8 Bytes [E4, 32, C4, 8D, 30, 33, C4, ...] {IN AL, 0x32; LES ECX, DWORD [EBP-0x723bccd0]}

.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A9DE68 4 Bytes [22, 34, C4, 8D]

.text ...

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C2AC64 5 Bytes JMP 8D73DC8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject + 27 82C43290 5 Bytes JMP 8D73F764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C583D7 4 Bytes CALL 8DC3F1B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C721E0 4 Bytes CALL 8DC3F1CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CFC11A 7 Bytes JMP 8D740D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F826360, 0x35B0A2, 0xE8000020]

.text ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes [EB, 01, C3, E9, 4C, 53, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff94935354}

.text ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes [EB, 01, C3, E9, 80, EF, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff9493ef88}

.text ntdll.dll!NtResumeThread 777664A8 8 Bytes [EB, 01, C3, E9, AC, FD, 94, ...] {JMP 0x3; RET ; JMP 0xffffffff9494fdb4}

.text ntdll.dll!NtSetInformationFile 77766638 8 Bytes [EB, 01, C3, E9, 76, 43, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff9493437e}

.text ntdll.dll!NtVdmControl 777669C8 8 Bytes [EB, 01, C3, E9, 06, E6, 93, ...] {JMP 0x3; RET ; JMP 0xffffffff9493e60e}

.text ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes [E9, 89, 3B, 9E, 88] {JMP 0xffffffff889e3b8e}

.text ntdll.dll!LdrLoadDll 7778223E 5 Bytes [E9, B5, DF, 9D, 88] {JMP 0xffffffff889ddfba}

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\System32\spoolsv.exe[1500] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\System32\spoolsv.exe[1500] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00090A08

.text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 000903FC

.text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00090804

.text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 000901F8

.text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\System32\spoolsv.exe[1500] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00090600

.text C:\Windows\System32\spoolsv.exe[1500] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\System32\spoolsv.exe[1500] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\System32\spoolsv.exe[1500] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\System32\spoolsv.exe[1500] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\system32\svchost.exe[1536] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\system32\svchost.exe[1536] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\svchost.exe[1536] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00110A08

.text C:\Windows\system32\svchost.exe[1536] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001103FC

.text C:\Windows\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00110804

.text C:\Windows\system32\svchost.exe[1536] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001101F8

.text C:\Windows\system32\svchost.exe[1536] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00110600

.text C:\Windows\system32\svchost.exe[1536] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\svchost.exe[1536] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\svchost.exe[1536] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\svchost.exe[1536] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\system32\svchost.exe[1760] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\system32\svchost.exe[1760] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\svchost.exe[1760] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 001E0A08

.text C:\Windows\system32\svchost.exe[1760] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001E03FC

.text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 001E0804

.text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001E01F8

.text C:\Windows\system32\svchost.exe[1760] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\svchost.exe[1760] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 001E0600

.text C:\Windows\system32\svchost.exe[1760] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\svchost.exe[1760] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\svchost.exe[1760] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\svchost.exe[1760] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\system32\svchost.exe[1844] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\svchost.exe[1844] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\svchost.exe[1844] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 001F0A08

.text C:\Windows\system32\svchost.exe[1844] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001F03FC

.text C:\Windows\system32\svchost.exe[1844] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 001F0804

.text C:\Windows\system32\svchost.exe[1844] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001F01F8

.text C:\Windows\system32\svchost.exe[1844] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\svchost.exe[1844] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 001F0600

.text C:\Windows\system32\svchost.exe[1844] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\svchost.exe[1844] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\svchost.exe[1844] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1884] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000503FC

.text C:\Windows\system32\taskhost.exe[2112] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000501F8

.text C:\Windows\system32\taskhost.exe[2112] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\taskhost.exe[2112] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00070A08

.text C:\Windows\system32\taskhost.exe[2112] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 000703FC

.text C:\Windows\system32\taskhost.exe[2112] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00070804

.text C:\Windows\system32\taskhost.exe[2112] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 000701F8

.text C:\Windows\system32\taskhost.exe[2112] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\taskhost.exe[2112] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00070600

.text C:\Windows\system32\taskhost.exe[2112] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\taskhost.exe[2112] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\taskhost.exe[2112] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\taskhost.exe[2112] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\system32\Dwm.exe[2184] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\system32\Dwm.exe[2184] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\Dwm.exe[2184] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00080A08

.text C:\Windows\system32\Dwm.exe[2184] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 000803FC

.text C:\Windows\system32\Dwm.exe[2184] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00080804

.text C:\Windows\system32\Dwm.exe[2184] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 000801F8

.text C:\Windows\system32\Dwm.exe[2184] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\Dwm.exe[2184] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00080600

.text C:\Windows\system32\Dwm.exe[2184] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\Dwm.exe[2184] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\Dwm.exe[2184] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\Dwm.exe[2184] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0C09AC69

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C0A4F1D

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C0B6259

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0C09A9B3

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C0A4FD3

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\Explorer.EXE[2212] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\Explorer.EXE[2212] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\Explorer.EXE[2212] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C0ADA20

.text C:\Windows\Explorer.EXE[2212] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 001A0A08

.text C:\Windows\Explorer.EXE[2212] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001A03FC

.text C:\Windows\Explorer.EXE[2212] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 001A0804

.text C:\Windows\Explorer.EXE[2212] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001A01F8

.text C:\Windows\Explorer.EXE[2212] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0C09C47C

.text C:\Windows\Explorer.EXE[2212] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 001A0600

.text C:\Windows\Explorer.EXE[2212] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C0A0AFF

.text C:\Windows\Explorer.EXE[2212] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C0AAA19

.text C:\Windows\Explorer.EXE[2212] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C0B2D48

.text C:\Windows\Explorer.EXE[2212] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C0B2BEA

.text C:\Windows\Explorer.EXE[2212] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C0B2A8C

.text C:\Windows\Explorer.EXE[2212] WS2_32.dll!send 76056F01 8 Bytes JMP 0C0AE35A

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\system32\svchost.exe[2392] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\system32\svchost.exe[2392] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\svchost.exe[2392] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\svchost.exe[2392] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00210A08

.text C:\Windows\system32\svchost.exe[2392] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 002103FC

.text C:\Windows\system32\svchost.exe[2392] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00210804

.text C:\Windows\system32\svchost.exe[2392] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 002101F8

.text C:\Windows\system32\svchost.exe[2392] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\svchost.exe[2392] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00210600

.text C:\Windows\system32\svchost.exe[2392] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\svchost.exe[2392] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\svchost.exe[2392] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC

.text C:\Windows\System32\rundll32.exe[2684] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8

.text C:\Windows\System32\rundll32.exe[2684] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\System32\rundll32.exe[2684] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08

.text C:\Windows\System32\rundll32.exe[2684] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC

.text C:\Windows\System32\rundll32.exe[2684] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804

.text C:\Windows\System32\rundll32.exe[2684] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8

.text C:\Windows\System32\rundll32.exe[2684] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\System32\rundll32.exe[2684] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600

.text C:\Windows\System32\rundll32.exe[2684] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\System32\rundll32.exe[2684] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\System32\rundll32.exe[2684] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\System32\rundll32.exe[2684] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC

.text C:\Windows\System32\rundll32.exe[2848] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8

.text C:\Windows\System32\rundll32.exe[2848] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\System32\rundll32.exe[2848] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00110A08

.text C:\Windows\System32\rundll32.exe[2848] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001103FC

.text C:\Windows\System32\rundll32.exe[2848] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00110804

.text C:\Windows\System32\rundll32.exe[2848] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001101F8

.text C:\Windows\System32\rundll32.exe[2848] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\System32\rundll32.exe[2848] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00110600

.text C:\Windows\System32\rundll32.exe[2848] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\System32\rundll32.exe[2848] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\System32\rundll32.exe[2848] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\System32\rundll32.exe[2848] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000703FC

.text C:\Windows\System32\rundll32.exe[2868] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000701F8

.text C:\Windows\System32\rundll32.exe[2868] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\System32\rundll32.exe[2868] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00140A08

.text C:\Windows\System32\rundll32.exe[2868] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001403FC

.text C:\Windows\System32\rundll32.exe[2868] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00140804

.text C:\Windows\System32\rundll32.exe[2868] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001401F8

.text C:\Windows\System32\rundll32.exe[2868] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\System32\rundll32.exe[2868] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00140600

.text C:\Windows\System32\rundll32.exe[2868] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\System32\rundll32.exe[2868] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\System32\rundll32.exe[2868] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\System32\rundll32.exe[2868] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 001703FC

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 001701F8

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00210A08

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 002103FC

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00210804

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 002101F8

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00210600

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2900] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2960] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\AUDIODG.EXE[2996] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\system32\SearchIndexer.exe[3188] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\system32\SearchIndexer.exe[3188] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\SearchIndexer.exe[3188] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08

.text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC

.text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804

.text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8

.text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\system32\SearchIndexer.exe[3188] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600

.text C:\Windows\system32\SearchIndexer.exe[3188] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\system32\SearchIndexer.exe[3188] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\system32\SearchIndexer.exe[3188] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\System32\svchost.exe[3352] ntdll.dll!NtClose 777654C8 5 Bytes JMP 001603B2

.text C:\Windows\System32\svchost.exe[3352] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\System32\svchost.exe[3352] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\System32\svchost.exe[3352] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00100A08

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001003FC

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00100804

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001001F8

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00100600

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3456] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0C09AC69

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C0A4F1D

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C0B6259

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0C09A9B3

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C0A4FD3

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000A03FC

.text C:\Windows\system32\NOTEPAD.EXE[3816] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000A01F8

.text C:\Windows\system32\NOTEPAD.EXE[3816] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\system32\NOTEPAD.EXE[3816] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C0ADA20

.text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00140A08

.text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 001403FC

.text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00140804

.text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 001401F8

.text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0C09C47C

.text C:\Windows\system32\NOTEPAD.EXE[3816] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00140600

.text C:\Windows\system32\NOTEPAD.EXE[3816] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C0A0AFF

.text C:\Windows\system32\NOTEPAD.EXE[3816] WS2_32.dll!send 76056F01 8 Bytes JMP 0C0AE35A

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C0AE37C

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C0AAA19

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C0AA4C4

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C0B1409

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0C09CA84

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C0B1319

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C0B1523

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C0B2D48

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C0AA3AF

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C0B2BEA

.text C:\Windows\system32\NOTEPAD.EXE[3816] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C0B2A8C

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0C09AC69

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C0A4F1D

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C0B6259

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0C09A9B3

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C0A4FD3

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 001603FC

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 001601F8

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C0A0AFF

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WS2_32.dll!send 76056F01 8 Bytes JMP 0C0AE35A

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C0AE37C

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C0AAA19

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C0AA4C4

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C0B1409

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0C09CA84

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C0B1319

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C0B1523

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C0B2D48

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C0AA3AF

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C0B2BEA

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C0B2A8C

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00320A08

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 003203FC

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00320804

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 003201F8

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0C09C47C

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00320600

.text C:\Users\Mauro\Desktop\GMER\gmer.exe[4172] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C0ADA20

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtEnumerateValueKey 77765918 8 Bytes JMP 0BFFAC69

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtQueryDirectoryFile 77765F98 8 Bytes JMP 0C004F1D

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtResumeThread 777664A8 8 Bytes JMP 0C016259

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtSetInformationFile 77766638 8 Bytes JMP 0BFFA9B3

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!NtVdmControl 777669C8 8 Bytes JMP 0C004FD3

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!LdrUnloadDll 7777C86E 5 Bytes JMP 000603FC

.text C:\Windows\System32\svchost.exe[4884] ntdll.dll!LdrLoadDll 7778223E 5 Bytes JMP 000601F8

.text C:\Windows\System32\svchost.exe[4884] kernel32.dll!GetBinaryTypeW + 70 770669F4 1 Byte [62]

.text C:\Windows\System32\svchost.exe[4884] ADVAPI32.dll!CryptEncrypt 7633779B 8 Bytes JMP 0C00DA20

.text C:\Windows\System32\svchost.exe[4884] USER32.dll!UnhookWindowsHookEx 75D5ADF9 5 Bytes JMP 00270A08

.text C:\Windows\System32\svchost.exe[4884] USER32.dll!UnhookWinEvent 75D5B750 5 Bytes JMP 002703FC

.text C:\Windows\System32\svchost.exe[4884] USER32.dll!SetWindowsHookExW 75D5E30C 5 Bytes JMP 00270804

.text C:\Windows\System32\svchost.exe[4884] USER32.dll!SetWinEventHook 75D624DC 5 Bytes JMP 002701F8

.text C:\Windows\System32\svchost.exe[4884] USER32.dll!TranslateMessage 75D664C7 8 Bytes JMP 0BFFC47C

.text C:\Windows\System32\svchost.exe[4884] USER32.dll!SetWindowsHookExA 75D86D0C 5 Bytes JMP 00270600

.text C:\Windows\System32\svchost.exe[4884] CRYPT32.dll!PFXImportCertStore 75B00DDC 8 Bytes JMP 0C000AFF

.text C:\Windows\System32\svchost.exe[4884] WS2_32.dll!send 76056F01 8 Bytes JMP 0C00E35A

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetQueryOptionA 773B6F21 8 Bytes JMP 0C00E37C

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetCloseHandle 773BC704 8 Bytes JMP 0C00AA19

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpQueryInfoA 773BE1DA 8 Bytes JMP 0C00A4C4

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetReadFile 773BF978 8 Bytes JMP 0C011409

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpAddRequestHeadersA 773C2ADC 8 Bytes JMP 0BFFCA84

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetQueryDataAvailable 773C3224 8 Bytes JMP 0C011319

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetReadFileExA 773E89DC 8 Bytes JMP 0C011523

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!InternetWriteFile 773F851E 8 Bytes JMP 0C012D48

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpOpenRequestA 7740B841 8 Bytes JMP 0C00A3AF

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpSendRequestW 7740C40D 8 Bytes JMP 0C012BEA

.text C:\Windows\System32\svchost.exe[4884] WININET.dll!HttpSendRequestA 77415172 8 Bytes JMP 0C012A8C

 

---- User IAT/EAT - GMER 1.0.15 ----

 

IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2684] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2848] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Windows\System32\rundll32.exe[2868] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [7577FFF6] C:\Windows\system32\apphelp.dll (Biblioteca de cliente de compatibilidade de aplicativos/Microsoft Corporation)

IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2960] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71BFF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

 

---- Devices - GMER 1.0.15 ----

 

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

 

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

 

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

 

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

 

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2732

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@YI9B2F0F2EXHWC2I C:\systemhost\24FC2AE34DD.exe

 

---- Files - GMER 1.0.15 ----

 

File C:\systemhost 0 bytes

File C:\systemhost\00B32D30F47CBC7 65475 bytes

File C:\systemhost\24FC2AE34DD.exe 292352 bytes executable

 

---- EOF - GMER 1.0.15 ----

Compartilhar este post


Link para o post
Compartilhar em outros sites

Olá Pierre94

 

 

*Instale o MalwareBytes

 

*Aguarde a atualização e o programa será aberto automaticamente

 

*Selecione [Verificação completa]

 

aadySM2U.jpg

 

*Clique [Verificar] e selecione a partição onde o Windows está instalado ( C:\ )

 

*Clique [Verificar]

 

*Ao término, clique [OK] > [Ver Resultados] > [Remover Selecionados]

 

*Cole o relatório apresentado

Compartilhar este post


Link para o post
Compartilhar em outros sites

Tópico Arquivado

 

Como o autor não respondeu por mais de 10 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.

Compartilhar este post


Link para o post
Compartilhar em outros sites

×

Informação importante

Ao usar o fórum, você concorda com nossos Termos e condições.