GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-18 19:23:49 Windows 6.1.7601 Service Pack 3 Harddisk0\DR0 -> \Device\0000006f ATA_____ rev.1M__ Running: feqtdk3e.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\uwtdapow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8324CA49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832864D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x84318B2E] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x95040000, 0x2D5378, 0xE8000020] .text USBPORT.SYS!DllUnload 94C2FDB9 5 Bytes JMP 88E5C1C8 ? C:\Windows\System32\Drivers\aqg499hi.SYS suspicious PE modification .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA35B5300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA3409300, 0x1BEE, 0xE8000020] .text C:\Program Files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl section is writeable [0x94DC2000, 0x2BE8, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl entry point in ".vmp2" section [0x94DE4666] PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A58F8000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A58F8123 629 Bytes [35, 8F, A5, FE, 05, 34, 35, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 A58F8399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F A58F83FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B A58F84AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1764] USER32.dll!RegisterMessagePumpHook + 2F1 766F8B9E 7 Bytes JMP 5AE1AAB0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1764] USER32.dll!IsDialogMessageW + 340 76704444 7 Bytes JMP 5AE1AA3F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1764] USER32.dll!GetWindowInfo 76704B5E 5 Bytes JMP 5AC64559 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1764] USER32.dll!ToUnicodeEx + 71 76712223 7 Bytes JMP 5AC64BB1 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateFile + 6 775255CE 4 Bytes [28, 00, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateFile + B 775255D3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateKey + 6 7752560E 4 Bytes [68, 01, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateKey + B 77525613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateMutant + 6 7752564E 4 Bytes [68, 02, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateMutant + B 77525653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateSection + 6 775256EE 4 Bytes [A8, 02, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtCreateSection + B 775256F3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtMapViewOfSection + 6 77525C2E 4 Bytes CALL 76526337 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtMapViewOfSection + B 77525C33 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenFile + 6 77525CDE 4 Bytes [68, 00, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenFile + B 77525CE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenKey + 6 77525D0E 4 Bytes [A8, 01, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenKey + B 77525D13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenKeyEx + 6 77525D1E 4 Bytes CALL 76526424 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenKeyEx + B 77525D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenMutant + 6 77525D5E 4 Bytes [28, 02, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenMutant + B 77525D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcess + 6 77525D8E 1 Byte [68] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcess + 6 77525D8E 4 Bytes [68, 03, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcess + B 77525D93 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcessToken + 6 77525D9E 1 Byte [A8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcessToken + 6 77525D9E 4 Bytes [A8, 03, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcessToken + B 77525DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcessTokenEx + 6 77525DAE 4 Bytes [68, 04, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenProcessTokenEx + B 77525DB3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenSection + 6 77525DCE 4 Bytes CALL 765264D5 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenSection + B 77525DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThread + 6 77525E0E 1 Byte [28] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThread + 6 77525E0E 4 Bytes [28, 03, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThread + B 77525E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThreadToken + 6 77525E1E 4 Bytes [28, 04, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThreadToken + B 77525E23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThreadTokenEx + 6 77525E2E 4 Bytes [A8, 04, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtOpenThreadTokenEx + B 77525E33 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtQueryAttributesFile + 6 77525F3E 4 Bytes [A8, 00, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtQueryAttributesFile + B 77525F43 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtQueryFullAttributesFile + 6 77525FEE 4 Bytes CALL 765266F3 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtQueryFullAttributesFile + B 77525FF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtSetInformationFile + 6 7752663E 4 Bytes [28, 01, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtSetInformationFile + B 77526643 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtSetInformationThread + 6 7752669E 1 Byte [E8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtSetInformationThread + 6 7752669E 4 Bytes CALL 76526DA6 C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtSetInformationThread + B 775266A3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtUnmapViewOfSection + 6 775269BE 4 Bytes [28, 05, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ntdll.dll!NtUnmapViewOfSection + B 775269C3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] kernel32.dll!CreateProcessW 76AB204D 5 Bytes JMP 00010030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] kernel32.dll!CreateProcessA 76AB2082 5 Bytes JMP 00010070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!DeleteObject 76A05F14 5 Bytes JMP 001101B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SelectObject 76A06640 5 Bytes JMP 001105F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetTextColor 76A06906 5 Bytes JMP 00110A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetBkMode 76A069B1 5 Bytes JMP 001108F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!DeleteDC 76A06EAA 5 Bytes JMP 00110170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetDeviceCaps 76A06F7F 5 Bytes JMP 001103B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!ExtSelectClipRgn 76A07114 5 Bytes JMP 001102F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SelectClipRgn 76A07242 5 Bytes JMP 001105B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetStretchBltMode 76A07705 5 Bytes JMP 001106B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetCurrentObject 76A07917 5 Bytes JMP 00110370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextMetricsW 76A07B8F 5 Bytes JMP 00110E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextAlign 76A07DAF 5 Bytes JMP 00110D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!IntersectClipRect 76A07DFE 5 Bytes JMP 001103F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!ExtTextOutW 76A08192 5 Bytes JMP 00110970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetTextAlign 76A0828E 5 Bytes JMP 001109F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetClipBox 76A08525 5 Bytes JMP 00110330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!MoveToEx 76A08C21 5 Bytes JMP 00110470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!StretchDIBits 76A0A53E 5 Bytes JMP 00110770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!RestoreDC 76A0A67B 5 Bytes JMP 00110530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SaveDC 76A0A74B 5 Bytes JMP 00110570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextExtentPoint32W 76A0B4B5 5 Bytes JMP 00110670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextFaceW 76A0B73A 2 Bytes JMP 00110D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextFaceW + 3 76A0B73D 2 Bytes [70, 89] {JO 0xffffffffffffff8b} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetFontData 76A0BCC4 5 Bytes JMP 00110C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetWorldTransform 76A0C90A 5 Bytes JMP 001106F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!CreateDCA 76A0CCA9 5 Bytes JMP 001100B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!CreateDCW 76A0CF79 5 Bytes JMP 001100F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!CreateICW 76A0CFD0 5 Bytes JMP 00110130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextMetricsA 76A0D0F2 5 Bytes JMP 00110DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!Rectangle 76A0F1FF 5 Bytes JMP 001109B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!LineTo 76A0F59B 5 Bytes JMP 00110430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetICMMode 76A0FAA4 5 Bytes JMP 00110DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!ExtTextOutA 76A103F9 5 Bytes JMP 00110930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextExtentPoint32A 76A107B0 5 Bytes JMP 00110630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!ExtEscape 76A12949 5 Bytes JMP 001102B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!Escape 76A13939 5 Bytes JMP 00110270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetTextFaceA 76A13E6A 5 Bytes JMP 00110CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetPolyFillMode 76A1D851 5 Bytes JMP 00110B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SetMiterLimit 76A1DA0D 5 Bytes JMP 00110B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!EndPage 76A200D7 5 Bytes JMP 00110230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!ResetDCW 76A2050D 5 Bytes JMP 00110AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!GetGlyphOutlineW 76A2C1BA 5 Bytes JMP 00110CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!CreateScalableFontResourceW 76A2E817 5 Bytes JMP 00110BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!AddFontResourceW 76A2EC13 5 Bytes JMP 00110BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!RemoveFontResourceW 76A2F109 5 Bytes JMP 00110C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!AbortDoc 76A34C63 5 Bytes JMP 00110030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!EndDoc 76A350AA 5 Bytes JMP 001101F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!StartPage 76A35195 5 Bytes JMP 00110730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!StartDocW 76A35BB0 5 Bytes JMP 001107F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!BeginPath 76A3635D 5 Bytes JMP 00110830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!SelectClipPath 76A363B4 5 Bytes JMP 00110AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!CloseFigure 76A3640F 5 Bytes JMP 00110070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!EndPath 76A36466 5 Bytes JMP 00110A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!StrokePath 76A36699 5 Bytes JMP 001107B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!FillPath 76A36726 5 Bytes JMP 00110870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!PolylineTo 76A36B94 5 Bytes JMP 001104F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!PolyBezierTo 76A36C25 5 Bytes JMP 001104B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] GDI32.dll!PolyDraw 76A36CD7 5 Bytes JMP 001108B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!ActivateKeyboardLayout 766F8203 5 Bytes JMP 001204F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!ScreenToClient 766FA506 7 Bytes JMP 00120670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!RegisterClipboardFormatA 766FC091 5 Bytes JMP 001202F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!RegisterClipboardFormatW 766FDF8D 5 Bytes JMP 001202B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!SetCursor 76703075 5 Bytes JMP 00120530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!MonitorFromWindow 76703622 7 Bytes JMP 00120630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!PostMessageW 7670447B 5 Bytes JMP 001205F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!IsWindowVisible 76704D69 7 Bytes JMP 001206B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClientRect 767054DD 7 Bytes JMP 001205B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!MapWindowPoints 76705CAA 5 Bytes JMP 00120570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetParent 76706029 7 Bytes JMP 001206F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!EmptyClipboard 7671290C 5 Bytes JMP 00120130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!SetClipboardData 76712962 5 Bytes JMP 00120170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClipboardData 76712BA7 5 Bytes JMP 00120030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClipboardFormatNameW 76715FD2 5 Bytes JMP 00120230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!SetClipboardViewer 76716FF6 5 Bytes JMP 001204B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClipboardFormatNameA 7671700A 5 Bytes JMP 00120270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!ChangeClipboardChain 7672147C 5 Bytes JMP 00120430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetTopWindow 767224D9 7 Bytes JMP 00120730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!CloseClipboard 7672446C 5 Bytes JMP 001200B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!OpenClipboard 7672447E 5 Bytes JMP 00120070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!IsClipboardFormatAvailable 767244FF 5 Bytes JMP 001200F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClipboardSequenceNumber 76724513 5 Bytes JMP 00120330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClipboardOwner 76724525 5 Bytes JMP 00120370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!CountClipboardFormats 7672470A 5 Bytes JMP 001201F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!EnumClipboardFormats 767247EC 5 Bytes JMP 001201B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetOpenClipboardWindow 7672480B 5 Bytes JMP 001203F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!SetCursorPos 7673C1B0 5 Bytes JMP 00120770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetClipboardViewer 76754AF7 5 Bytes JMP 00120470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] USER32.dll!GetPriorityClipboardFormat 76754BF9 5 Bytes JMP 001203B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ole32.dll!OleSetClipboard 76DB0045 5 Bytes JMP 00130030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ole32.dll!OleIsCurrentClipboard 76DB36B2 5 Bytes JMP 00130070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] ole32.dll!OleGetClipboard 76DDFDCD 5 Bytes JMP 001300B0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3864] ntdll.dll!LdrGetProcedureAddress + 26 77542239 7 Bytes JMP 5AB05B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3864] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76AF941E 7 Bytes JMP 5AD47B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3864] kernel32.dll!QueryPerformanceCounter + 13 76AFC435 7 Bytes JMP 5AD47B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3864] kernel32.dll!LoadAppInitDlls + 355 76AFF4F6 7 Bytes JMP 5AB0EF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3864] GDI32.dll!GetViewportOrgEx + 26C 76A0884B 7 Bytes JMP 5AD47AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [84223730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [84223F12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [84224232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [842240F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [84223914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!MoveFileExW] 00010090 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetFocus] 00120790 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetKeyState] 001207D0 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] 00010090 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_287.exe[2052] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!MoveFileExW] 00010090 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85F3A1E8 AttachedDevice \Driver\volsnap \Device\HarddiskVolumeShadowCopy1 NBVolUp.sys (Nero Backup Volume Upper Filter Driver for the Disk Stack/Nero AG) Device \Driver\usbuhci \Device\USBPDO-0 88E5E1E8 Device \Driver\usbuhci \Device\USBPDO-1 88E5E1E8 Device \Driver\usbuhci \Device\USBPDO-2 88E5E1E8 Device \Driver\usbehci \Device\USBPDO-3 86C7D430 Device \Driver\usbuhci \Device\USBPDO-4 88E5E1E8 AttachedDevice \Driver\tdx \Device\Tcp nltdi.sys Device \Driver\usbuhci \Device\USBPDO-5 88E5E1E8 Device \Driver\usbuhci \Device\USBPDO-6 88E5E1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG) Device \Driver\usbehci \Device\USBPDO-7 86C7D430 Device \Driver\ACPI_HAL \Device\00000064 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 NBVol.sys (Nero Backup Volume Filter Driver for the Disk Stack/Nero AG) Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 88BE11E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 88DCC1E8 Device \Driver\iaStorA \Device\RaidPort0 85F381E8 AttachedDevice \Driver\tdx \Device\Udp nltdi.sys Device \Driver\usbuhci \Device\USBFDO-0 88E5E1E8 Device \Driver\PCI_PNP1876 \Device\0000006c sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\NetBT \Device\NetBT_Tcpip_{42B4A797-86D1-496B-970F-42F20C2B72C6} 88DCC1E8 Device \Driver\usbuhci \Device\USBFDO-1 88E5E1E8 Device \Driver\usbuhci \Device\USBFDO-2 88E5E1E8 Device \Driver\iaStorA \Device\0000006f 85F381E8 Device \Driver\usbehci \Device\USBFDO-3 86C7D430 Device \Driver\usbuhci \Device\USBFDO-4 88E5E1E8 Device \Driver\usbuhci \Device\USBFDO-5 88E5E1E8 Device \Driver\usbuhci \Device\USBFDO-6 88E5E1E8 Device \Driver\usbehci \Device\USBFDO-7 86C7D430 Device \Driver\aqg499hi \Device\Scsi\aqg499hi1 88EBE430 ---- EOF - GMER 1.0.15 ----