GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-25 14:29:09 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.HH10 Running: cl2u3mdl.exe; Driver: C:\Users\Roma\AppData\Local\Temp\aftcqaog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 8207E599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 820A3092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? C:\windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\Users\Roma\AppData\Local\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2560] USER32.dll!CharToOemA + 3A 7724B1DE 7 Bytes JMP 686B32C0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2560] USER32.dll!AdjustWindowRectEx + 117 7725660F 7 Bytes JMP 686B324F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2560] USER32.dll!GetWindowInfo 77256A82 5 Bytes JMP 684FA8A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2560] USER32.dll!MenuItemFromPoint + F 77274B36 7 Bytes JMP 684FAED5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] ntdll.dll!wcsncmp + 33B 7713F420 7 Bytes JMP 68394470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 7587C057 7 Bytes JMP 685E0459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] kernel32.dll!CloseHandle + 38 7588058F 7 Bytes JMP 685E047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] kernel32.dll!GetExitCodeProcess + 2C 758830DD 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] kernel32.dll!GetExitCodeProcess + 2C 758830DD 7 Bytes JMP 6839F972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] GDI32.dll!GetViewportOrgEx + 21C 75D485EB 7 Bytes JMP 685E03DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateFile + 6 771246B6 4 Bytes [28, 00, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateFile + B 771246BB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateKey + 6 771246F6 4 Bytes [68, 01, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateKey + B 771246FB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateMutant + 6 77124736 4 Bytes [68, 02, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateMutant + B 7712473B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateSection + 6 771247D6 4 Bytes [A8, 02, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtCreateSection + B 771247DB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtMapViewOfSection + 6 77124D16 4 Bytes CALL 7612541F C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtMapViewOfSection + B 77124D1B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenFile + 6 77124DC6 4 Bytes [68, 00, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenFile + B 77124DCB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenKey + 6 77124DF6 4 Bytes [A8, 01, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenKey + B 77124DFB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenKeyEx + 6 77124E06 4 Bytes CALL 7612550C C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenKeyEx + B 77124E0B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenMutant + 6 77124E46 4 Bytes [28, 02, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenMutant + B 77124E4B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcess + 6 77124E76 1 Byte [68] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcess + 6 77124E76 4 Bytes [68, 03, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcess + B 77124E7B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcessToken + 6 77124E86 1 Byte [A8] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcessToken + 6 77124E86 4 Bytes [A8, 03, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcessToken + B 77124E8B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcessTokenEx + 6 77124E96 4 Bytes [68, 04, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenProcessTokenEx + B 77124E9B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenSection + 6 77124EB6 4 Bytes CALL 761255BD C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenSection + B 77124EBB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThread + 6 77124EF6 1 Byte [28] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThread + 6 77124EF6 4 Bytes [28, 03, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThread + B 77124EFB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThreadToken + 6 77124F06 4 Bytes [28, 04, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThreadToken + B 77124F0B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThreadTokenEx + 6 77124F16 4 Bytes [A8, 04, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtOpenThreadTokenEx + B 77124F1B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtQueryAttributesFile + 6 77125026 4 Bytes [A8, 00, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtQueryAttributesFile + B 7712502B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtQueryFullAttributesFile + 6 771250D6 4 Bytes CALL 761257DB C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtQueryFullAttributesFile + B 771250DB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtSetInformationFile + 6 77125726 4 Bytes [28, 01, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtSetInformationFile + B 7712572B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtSetInformationThread + 6 77125786 1 Byte [E8] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtSetInformationThread + 6 77125786 4 Bytes CALL 76125E8E C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtSetInformationThread + B 7712578B 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtUnmapViewOfSection + 6 77125AA6 4 Bytes [28, 05, 07, 00] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ntdll.dll!NtUnmapViewOfSection + B 77125AAB 1 Byte [E2] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] kernel32.dll!CreateProcessW 7583202D 5 Bytes JMP 00010030 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] kernel32.dll!CreateProcessA 75832062 5 Bytes JMP 00010070 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SelectObject 75D461D0 5 Bytes JMP 000A05F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetTextColor 75D46622 5 Bytes JMP 000A0A30 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetBkMode 75D466CD 5 Bytes JMP 000A08F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!DeleteObject 75D468B4 5 Bytes JMP 000A01B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!DeleteDC 75D46A2C 5 Bytes JMP 000A0170 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!ExtSelectClipRgn 75D46C72 5 Bytes JMP 000A02F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SelectClipRgn 75D46D84 5 Bytes JMP 000A05B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetDeviceCaps 75D46E03 5 Bytes JMP 000A03B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetStretchBltMode 75D473CE 5 Bytes JMP 000A06B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetCurrentObject 75D4777C 5 Bytes JMP 000A0370 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextMetricsW 75D4798F 5 Bytes JMP 000A0E30 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!IntersectClipRect 75D47CCA 5 Bytes JMP 000A03F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextAlign 75D47D15 5 Bytes JMP 000A0D70 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetTextAlign 75D47F92 5 Bytes JMP 000A09F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!ExtTextOutW 75D48053 5 Bytes JMP 000A0970 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetClipBox 75D481F2 5 Bytes JMP 000A0330 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!MoveToEx 75D48A16 5 Bytes JMP 000A0470 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!CreateDCA 75D49975 5 Bytes JMP 000A00B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!RestoreDC 75D49A10 5 Bytes JMP 000A0530 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SaveDC 75D49AD2 5 Bytes JMP 000A0570 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!StretchDIBits 75D4AC38 5 Bytes JMP 000A0770 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextFaceW 75D4B4CC 5 Bytes JMP 000A0D30 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextExtentPoint32W 75D4B535 5 Bytes JMP 000A0670 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetFontData 75D4B8E8 5 Bytes JMP 000A0C70 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!CreateDCW 75D4BD21 5 Bytes JMP 000A00F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!CreateICW 75D4C660 5 Bytes JMP 000A0130 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!LineTo 75D4CA20 5 Bytes JMP 000A0430 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetWorldTransform 75D4CB42 5 Bytes JMP 000A06F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextMetricsA 75D4CE46 5 Bytes JMP 000A0DF0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!Rectangle 75D4F5BE 5 Bytes JMP 000A09B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetICMMode 75D4F8D4 5 Bytes JMP 000A0DB0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!ExtTextOutA 75D50158 5 Bytes JMP 000A0930 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextExtentPoint32A 75D508BB 5 Bytes JMP 000A0630 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!Escape 75D50B0D 5 Bytes JMP 000A0270 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!ExtEscape 75D53472 5 Bytes JMP 000A02B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetTextFaceA 75D53E49 5 Bytes JMP 000A0CF0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetPolyFillMode 75D56CE1 5 Bytes JMP 000A0B30 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SetMiterLimit 75D56E54 5 Bytes JMP 000A0B70 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!ResetDCW 75D6031C 5 Bytes JMP 000A0AB0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!EndPage 75D607CD 5 Bytes JMP 000A0230 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!GetGlyphOutlineW 75D6C292 5 Bytes JMP 000A0CB0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!CreateScalableFontResourceW 75D6E8EF 5 Bytes JMP 000A0BB0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!AddFontResourceW 75D6ECEB 5 Bytes JMP 000A0BF0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!RemoveFontResourceW 75D6F1E1 5 Bytes JMP 000A0C30 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!AbortDoc 75D74D37 5 Bytes JMP 000A0030 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!EndDoc 75D7517E 5 Bytes JMP 000A01F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!StartPage 75D75269 5 Bytes JMP 000A0730 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!StartDocW 75D75BB6 5 Bytes JMP 000A07F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!BeginPath 75D7635D 5 Bytes JMP 000A0830 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!SelectClipPath 75D763B4 5 Bytes JMP 000A0AF0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!CloseFigure 75D7640F 5 Bytes JMP 000A0070 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!EndPath 75D76466 5 Bytes JMP 000A0A70 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!StrokePath 75D76699 5 Bytes JMP 000A07B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!FillPath 75D76726 5 Bytes JMP 000A0870 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!PolylineTo 75D76B94 5 Bytes JMP 000A04F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!PolyBezierTo 75D76C25 5 Bytes JMP 000A04B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] GDI32.dll!PolyDraw 75D76CD7 5 Bytes JMP 000A08B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!ActivateKeyboardLayout 7724817D 5 Bytes JMP 003204F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!ScreenToClient 7724C1F2 7 Bytes JMP 00320670 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!RegisterClipboardFormatA 7724E6B1 5 Bytes JMP 003202F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!RegisterClipboardFormatW 7724EDFD 5 Bytes JMP 003202B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!SetCursor 772552EA 5 Bytes JMP 00320530 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!MonitorFromWindow 7725590A 7 Bytes JMP 00320630 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!PostMessageW 77256225 5 Bytes JMP 003205F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!IsWindowVisible 77256939 7 Bytes JMP 003206B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClientRect 772574B1 7 Bytes JMP 003205B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!MapWindowPoints 77257915 5 Bytes JMP 00320570 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetParent 77257AB3 7 Bytes JMP 003206F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!SetClipboardData 77264979 5 Bytes JMP 00320170 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!EmptyClipboard 77264A28 5 Bytes JMP 00320130 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClipboardData 77264B47 5 Bytes JMP 00320030 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!EnumClipboardFormats 77264D98 5 Bytes JMP 003201B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClipboardFormatNameW 77267EB2 5 Bytes JMP 00320230 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!SetClipboardViewer 77268F4D 5 Bytes JMP 003204B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClipboardFormatNameA 77268F61 5 Bytes JMP 00320270 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetOpenClipboardWindow 7726902F 1 Byte [E9] .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetOpenClipboardWindow 7726902F 5 Bytes JMP 003203F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!ChangeClipboardChain 77273425 5 Bytes JMP 00320430 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetTopWindow 77273A5D 7 Bytes JMP 00320730 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!CloseClipboard 77275BA7 5 Bytes JMP 003200B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!OpenClipboard 77275BB9 5 Bytes JMP 00320070 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!IsClipboardFormatAvailable 77275C3A 5 Bytes JMP 003200F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClipboardSequenceNumber 77275C4E 5 Bytes JMP 00320330 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClipboardOwner 77275C60 5 Bytes JMP 00320370 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!CountClipboardFormats 77275DC9 5 Bytes JMP 003201F0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!SetCursorPos 7728C1D8 5 Bytes JMP 00320770 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetClipboardViewer 772A4B57 5 Bytes JMP 00320470 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] USER32.dll!GetPriorityClipboardFormat 772A4C59 5 Bytes JMP 003203B0 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ole32.dll!OleSetClipboard 755EF2FE 5 Bytes JMP 00330030 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ole32.dll!OleIsCurrentClipboard 755F2489 5 Bytes JMP 00330070 .text C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] ole32.dll!OleGetClipboard 7561F825 5 Bytes JMP 003300B0 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipAlloc] [73DB24FA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73D9565B] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73D95719] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipFree] [73DB2575] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73DA85D9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73DA4D8D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73DA5134] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73DA5209] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73DA6736] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73DA8330] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73DA887F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73DA90E0] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73DAE283] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\explorer.exe[2688] @ C:\windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73DA4CBF] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] @ C:\windows\system32\WININET.dll [KERNEL32.dll!MoveFileExW] 00010090 IAT C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] @ C:\windows\system32\ole32.dll [USER32.dll!GetKeyState] 003207D0 IAT C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] @ C:\windows\system32\SHELL32.dll [USER32.dll!GetFocus] 00320790 IAT C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] @ C:\windows\system32\SHELL32.dll [USER32.dll!GetKeyState] 003207D0 IAT C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] 00010090 IAT C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3964] @ C:\windows\system32\USERENV.dll [KERNEL32.dll!MoveFileExW] 00010090 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000074 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000094 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000096 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb11283eb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bb11283eb@f0e77e543827 0x73 0xEF 0x74 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313acdee6 Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Bind ???k?????k?k?k???????&???????k??????s?????N??????????????????????q???a???h???????k???????????k?kme???????????????????????k???3???????????k???D??se??????9????????????????t???????s??????????LegacyDriver????LegacyDriver? ???????????/??????wpdbusenum\fs?????????$??l??????p????????????????????????? ??:??????p????????????????q???????????/???????2????h??????.?g?.???t?t?u??LegacyDriver??????2??????D??????-5???????l??*6to4mp??????????k???e???e???????????????????????????#???????#??STORAGE\Volume???????s??? ???????k???????????y??????????N?????????????X??????6??????? ???????T??????????????????????????????LegacyDriver?-???????????????????????????n???k????`???????????????z????????g????????????????t???t???.NT???????????????????????????????????????????X??????????????g????????P????????{?????????k?&???????k???????e??????????????????????RasSstp??1??? ???????????????????E????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Route ???z????????????????????????????????d????z??????????v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=143:*|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-25075|Desc=@FirewallAPI.dll,-25081|EmbedCtxt=@FirewallAPI.dll,-25000|????????{??????????????????e????????????????????????????????????z??????s???? ???????????????????????`??????????LocalSystem?P????i?j?k?k?n?n?n???e???n??????????????????????????????255.255.255.0???????????????????????????????????????int??????????????z???{?{?{?{????v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=143:*|RA6=LocalSubnet|Name=@FirewallAPI.dll,-25076|Desc=@FirewallAPI.dll,-25081|EmbedCtxt=@FirewallAPI.dll,-25000|??