GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-31 16:28:47 Windows 6.1.7600 Harddisk0\DR0 -> \Device\00000068 SAMSUNG_ rev.1AG0 Running: n148f31k.exe; Driver: C:\Users\tom\AppData\Local\Temp\uxriypow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E49579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text sptd.sys 8BC08001 31 Bytes [97, 21, 83, A6, 31, 22, 83, ...] .text sptd.sys 8BC08024 22 Bytes [D5, AB, EC, 82, AB, 5B, F2, ...] .text sptd.sys 8BC0803B 298 Bytes [83, 85, DD, FF, 82, A0, 5A, ...] .text sptd.sys 8BC08166 102 Bytes [E8, 82, A4, 4B, E8, 82, C9, ...] .text sptd.sys 8BC081D4 4 Bytes [F3, A5, 6A, 4D] {REP MOVSD ; PUSH 0x4d} .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8BCB29E3] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload 91B26CA0 5 Bytes JMP 8716B1C8 .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9242E000, 0x2BE63E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1076] ntdll.dll!wcsncmp + 33B 76FCF580 7 Bytes JMP 63A2B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1076] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 76B1C0CF 7 Bytes JMP 63CDB6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1076] kernel32.dll!CloseHandle + 38 76B205EF 7 Bytes JMP 63CDB6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1076] GDI32.dll!GetViewportOrgEx + 21C 75CF85EB 7 Bytes JMP 63CDB653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3784] USER32.dll!CharToOemA + 3A 769FB1DE 7 Bytes JMP 63DEC453 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3784] USER32.dll!AdjustWindowRectEx + 117 76A0660F 7 Bytes JMP 63DEC3E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3784] USER32.dll!GetWindowInfo 76A06A82 5 Bytes JMP 63BABACC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3784] USER32.dll!MenuItemFromPoint + F 76A24B36 7 Bytes JMP 63BAC0F9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateFile + 6 76FB4A16 4 Bytes [28, 00, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateFile + B 76FB4A1B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateKey + 6 76FB4A56 4 Bytes [68, 01, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateKey + B 76FB4A5B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateMutant + 6 76FB4A96 4 Bytes [68, 02, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateMutant + B 76FB4A9B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateSection + 6 76FB4B36 4 Bytes [A8, 02, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtCreateSection + B 76FB4B3B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtMapViewOfSection + 6 76FB5076 4 Bytes CALL 75FB677F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtMapViewOfSection + B 76FB507B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenFile + 6 76FB5126 4 Bytes [68, 00, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenFile + B 76FB512B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenKey + 6 76FB5156 4 Bytes [A8, 01, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenKey + B 76FB515B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenKeyEx + 6 76FB5166 4 Bytes CALL 75FB686C C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenKeyEx + B 76FB516B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenMutant + 6 76FB51A6 4 Bytes [28, 02, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenMutant + B 76FB51AB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcess + 6 76FB51D6 1 Byte [68] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcess + 6 76FB51D6 4 Bytes [68, 03, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcess + B 76FB51DB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcessToken + 6 76FB51E6 1 Byte [A8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcessToken + 6 76FB51E6 4 Bytes [A8, 03, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcessToken + B 76FB51EB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcessTokenEx + 6 76FB51F6 4 Bytes [68, 04, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenProcessTokenEx + B 76FB51FB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenSection + 6 76FB5216 4 Bytes CALL 75FB691D C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenSection + B 76FB521B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThread + 6 76FB5256 1 Byte [28] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThread + 6 76FB5256 4 Bytes [28, 03, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThread + B 76FB525B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThreadToken + 6 76FB5266 4 Bytes [28, 04, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThreadToken + B 76FB526B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThreadTokenEx + 6 76FB5276 4 Bytes [A8, 04, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtOpenThreadTokenEx + B 76FB527B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtQueryAttributesFile + 6 76FB5386 4 Bytes [A8, 00, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtQueryAttributesFile + B 76FB538B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtQueryFullAttributesFile + 6 76FB5436 4 Bytes CALL 75FB6B3B C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtQueryFullAttributesFile + B 76FB543B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtSetInformationFile + 6 76FB5A86 4 Bytes [28, 01, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtSetInformationFile + B 76FB5A8B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtSetInformationThread + 6 76FB5AE6 1 Byte [E8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtSetInformationThread + 6 76FB5AE6 4 Bytes CALL 75FB71EE C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtSetInformationThread + B 76FB5AEB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtUnmapViewOfSection + 6 76FB5E06 4 Bytes [28, 05, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ntdll.dll!NtUnmapViewOfSection + B 76FB5E0B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] kernel32.dll!CreateProcessW 76AD202D 5 Bytes JMP 00010030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] kernel32.dll!CreateProcessA 76AD2062 5 Bytes JMP 00010070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SelectObject 75CF61D0 5 Bytes JMP 002105F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetTextColor 75CF6622 5 Bytes JMP 002109F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetBkMode 75CF66CD 5 Bytes JMP 002108B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!DeleteObject 75CF68B4 5 Bytes JMP 002101B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!DeleteDC 75CF6A2C 5 Bytes JMP 00210170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!ExtSelectClipRgn 75CF6C72 5 Bytes JMP 002102F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SelectClipRgn 75CF6D84 5 Bytes JMP 002105B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetDeviceCaps 75CF6E03 5 Bytes JMP 002103B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetStretchBltMode 75CF73CE 5 Bytes JMP 00210670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetCurrentObject 75CF777C 5 Bytes JMP 00210370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetTextMetricsW 75CF798F 5 Bytes JMP 00210DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!IntersectClipRect 75CF7CCA 5 Bytes JMP 002103F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetTextAlign 75CF7D15 5 Bytes JMP 00210D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetTextAlign 75CF7F92 5 Bytes JMP 002109B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!ExtTextOutW 75CF8053 5 Bytes JMP 00210930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetClipBox 75CF81F2 5 Bytes JMP 00210330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!MoveToEx 75CF8A16 5 Bytes JMP 00210470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!CreateDCA 75CF9975 5 Bytes JMP 002100B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!RestoreDC 75CF9A10 5 Bytes JMP 00210530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SaveDC 75CF9AD2 5 Bytes JMP 00210570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!StretchDIBits 75CFAC38 5 Bytes JMP 00210730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetTextFaceW 75CFB4CC 5 Bytes JMP 00210CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetTextExtentPoint32W 75CFB535 5 Bytes JMP 00210630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetFontData 75CFB8E8 5 Bytes JMP 00210C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!CreateDCW 75CFBD21 5 Bytes JMP 002100F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!CreateICW 75CFC660 5 Bytes JMP 00210130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!LineTo 75CFCA20 5 Bytes JMP 00210430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetWorldTransform 75CFCB42 5 Bytes JMP 002106B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetTextMetricsA 75CFCE46 5 Bytes JMP 00210DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!Rectangle 75CFF5BE 5 Bytes JMP 00210970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetICMMode 75CFF8D4 5 Bytes JMP 00210D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!ExtTextOutA 75D00158 5 Bytes JMP 002108F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!Escape 75D00B0D 5 Bytes JMP 00210270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!ExtEscape 75D03472 5 Bytes JMP 002102B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetTextFaceA 75D03E49 5 Bytes JMP 00210CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetPolyFillMode 75D06CE1 5 Bytes JMP 00210AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SetMiterLimit 75D06E54 5 Bytes JMP 00210B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!ResetDCW 75D1031C 5 Bytes JMP 00210A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!EndPage 75D107CD 5 Bytes JMP 00210230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!GetGlyphOutlineW 75D1C292 5 Bytes JMP 00210C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!CreateScalableFontResourceW 75D1E8EF 5 Bytes JMP 00210B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!AddFontResourceW 75D1ECEB 5 Bytes JMP 00210BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!RemoveFontResourceW 75D1F1E1 5 Bytes JMP 00210BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!AbortDoc 75D24D37 5 Bytes JMP 00210030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!EndDoc 75D2517E 5 Bytes JMP 002101F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!StartPage 75D25269 5 Bytes JMP 002106F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!StartDocW 75D25BB6 5 Bytes JMP 002107B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!BeginPath 75D2635D 5 Bytes JMP 002107F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!SelectClipPath 75D263B4 5 Bytes JMP 00210AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!CloseFigure 75D2640F 5 Bytes JMP 00210070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!EndPath 75D26466 5 Bytes JMP 00210A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!StrokePath 75D26699 5 Bytes JMP 00210770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!FillPath 75D26726 5 Bytes JMP 00210830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!PolylineTo 75D26B94 5 Bytes JMP 002104F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!PolyBezierTo 75D26C25 5 Bytes JMP 002104B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] GDI32.dll!PolyDraw 75D26CD7 5 Bytes JMP 00210870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!ActivateKeyboardLayout 769F817D 5 Bytes JMP 002204F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!ScreenToClient 769FC1F2 7 Bytes JMP 00220670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!RegisterClipboardFormatA 769FE6B1 5 Bytes JMP 002202F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!RegisterClipboardFormatW 769FEDFD 5 Bytes JMP 002202B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!SetCursor 76A052EA 5 Bytes JMP 00220530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!MonitorFromWindow 76A0590A 7 Bytes JMP 00220630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!PostMessageW 76A06225 5 Bytes JMP 002205F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!IsWindowVisible 76A06939 7 Bytes JMP 002206B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClientRect 76A074B1 7 Bytes JMP 002205B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!MapWindowPoints 76A07915 5 Bytes JMP 00220570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetParent 76A07AB3 7 Bytes JMP 002206F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!SetClipboardData 76A14979 5 Bytes JMP 00220170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!EmptyClipboard 76A14A28 5 Bytes JMP 00220130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClipboardData 76A14B47 5 Bytes JMP 00220030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!EnumClipboardFormats 76A14D98 5 Bytes JMP 002201B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClipboardFormatNameW 76A17EB2 5 Bytes JMP 00220230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!SetClipboardViewer 76A18F4D 5 Bytes JMP 002204B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClipboardFormatNameA 76A18F61 5 Bytes JMP 00220270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetOpenClipboardWindow 76A1902F 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetOpenClipboardWindow 76A1902F 5 Bytes JMP 002203F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!ChangeClipboardChain 76A23425 5 Bytes JMP 00220430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetTopWindow 76A23A5D 7 Bytes JMP 00220730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!CloseClipboard 76A25BA7 5 Bytes JMP 002200B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!OpenClipboard 76A25BB9 5 Bytes JMP 00220070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!IsClipboardFormatAvailable 76A25C3A 5 Bytes JMP 002200F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClipboardSequenceNumber 76A25C4E 5 Bytes JMP 00220330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClipboardOwner 76A25C60 5 Bytes JMP 00220370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!CountClipboardFormats 76A25DC9 5 Bytes JMP 002201F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!SetCursorPos 76A3C1D8 5 Bytes JMP 00220770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetClipboardViewer 76A54B57 5 Bytes JMP 00220470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] USER32.dll!GetPriorityClipboardFormat 76A54C59 5 Bytes JMP 002203B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ole32.dll!OleSetClipboard 7743F1F6 5 Bytes JMP 00230030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ole32.dll!OleIsCurrentClipboard 77442370 5 Bytes JMP 00230070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] ole32.dll!OleGetClipboard 7746F71D 5 Bytes JMP 002300B0 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BC0970C] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BC09EEE] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8BC0A20E] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BC0A0CC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BC098F0] \SystemRoot\System32\Drivers\sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3840] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!MoveFileExW] 00010090 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 857311E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{544BC198-2357-456E-B714-46DC2D00B829} 870F51E8 Device \Driver\usbohci \Device\USBPDO-0 8716A1E8 Device \Driver\usbehci \Device\USBPDO-1 8716C1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\PCI_PNP3936 \Device\00000058 sptd.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 86F871E8 Device \Driver\cdrom \Device\CdRom1 86F871E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-b 8572D1E8 Device \Driver\atapi \Device\Ide\IdePort0 8572D1E8 Device \Driver\atapi \Device\Ide\IdePort1 8572D1E8 Device \Driver\atapi \Device\Ide\IdePort2 8572D1E8 Device \Driver\atapi \Device\Ide\IdePort3 8572D1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-9 8572D1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-a 8572D1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-8 8572D1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom2 86F871E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\nvstor32 \Device\00000068 8572F1E8 Device \Driver\cdrom \Device\CdRom3 86F871E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom4 86F871E8 Device \Driver\nvstor32 \Device\00000069 8572F1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 872071E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 870F51E8 Device \Driver\nvstor32 \Device\RaidPort0 8572F1E8 Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{04C6687D-E102-4FA9-A733-EB422AB6CFAE} 870F51E8 Device \Driver\usbohci \Device\USBFDO-0 8716A1E8 Device \Driver\USBSTOR \Device\0000007a 86FC51E8 Device \Driver\usbehci \Device\USBFDO-1 8716C1E8 Device \Driver\USBSTOR \Device\0000007c 86FC51E8 Device \Driver\USBSTOR \Device\0000007d 86FC51E8 Device \Driver\USBSTOR \Device\0000007e 86FC51E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C1B023BF-E7FE-44AD-AA4F-5009AB1CBE7F} 870F51E8 Device \Driver\USBSTOR \Device\0000007f 86FC51E8 Device \Driver\asfjhs1t \Device\Scsi\asfjhs1t1 86FBA1E8 ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32 (*** hidden *** ) [MANUAL] MpsSvc <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b00026 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9E 0x96 0x05 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x0D 0x67 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x08 0x0E 0x5C 0xB7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x69 0xC2 0xF1 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xDB 0xAC 0x86 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0x63 0xD1 0xD8 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2@hdf12 0xD6 0xD3 0x00 0x98 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq3 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq3@hdf12 0x17 0x84 0xCE 0xAD ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b00026 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9E 0x96 0x05 0x8B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x16 0x0D 0x67 0x71 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x08 0x0E 0x5C 0xB7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a1 0x10 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x7C 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x69 0xC2 0xF1 0x49 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xDB 0xAC 0x86 0x1A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0x63 0xD1 0xD8 0x17 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq2@hdf12 0xD6 0xD3 0x00 0x98 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq3@hdf12 0x17 0x84 0xCE 0xAD ... ---- EOF - GMER 1.0.15 ----