GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-29 18:47:00 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 rev. Running: x7629gzv.exe; Driver: C:\Users\Dariusz\AppData\Local\Temp\pwriifod.sys ---- Kernel code sections - GMER 1.0.15 ---- .vmp2 C:\Windows\system32\drivers\acedrv11.sys entry point in ".vmp2" section [0xA11EF69D] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!InSendMessageEx + 4C9 761DE7C8 7 Bytes JMP 62F1ADE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!CreateWindowExW + AA 761E13AF 7 Bytes JMP 62F1AD6F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!GetWindowInfo 761E428E 5 Bytes JMP 62D647EC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1240] USER32.dll!SetMenuItemBitmaps + 71 761F14EE 7 Bytes JMP 62D64E1E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4848] ntdll.dll!LdrLoadDll 774E9378 5 Bytes JMP 62C0A650 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4848] kernel32.dll!HeapSetInformation + 26 76F4A8C0 7 Bytes JMP 62C0EDB3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4848] kernel32.dll!LockResource + C 76F66B0B 7 Bytes JMP 62E47DF7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4848] kernel32.dll!VirtualAllocEx + 54 76F6AF70 7 Bytes JMP 62E47E1A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4848] USER32.dll!GetWindowInfo 761E428E 5 Bytes JMP 62D6BDB3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4848] GDI32.dll!SetStretchBltMode + 256 7627745C 7 Bytes JMP 62E47D78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateFile + 6 7752424A 4 Bytes [28, 00, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateFile + B 7752424F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateKey + 6 7752428A 4 Bytes [68, 01, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateKey + B 7752428F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateMutant + 6 775242BA 4 Bytes [28, 02, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateMutant + B 775242BF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateSection + 6 7752433A 4 Bytes [68, 02, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtCreateSection + B 7752433F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtMapViewOfSection + 6 7752499A 4 Bytes [A8, 04, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtMapViewOfSection + B 7752499F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenFile + 6 77524A2A 4 Bytes [68, 00, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenFile + B 77524A2F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenKey + 6 77524A5A 4 Bytes [A8, 01, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenKey + B 77524A5F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenMutant + 6 77524A7A 4 Bytes CALL 76525080 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenMutant + B 77524A7F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcess + 6 77524AAA 1 Byte [28] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcess + 6 77524AAA 4 Bytes [28, 03, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcess + B 77524AAF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcessToken + 6 77524ABA 1 Byte [68] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcessToken + 6 77524ABA 4 Bytes [68, 03, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcessToken + B 77524ABF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcessTokenEx + 6 77524ACA 4 Bytes [28, 04, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenProcessTokenEx + B 77524ACF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenSection + 6 77524ADA 4 Bytes [A8, 02, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenSection + B 77524ADF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThread + 6 77524B1A 4 Bytes CALL 76525121 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThread + B 77524B1F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThreadToken + 6 77524B2A 1 Byte [E8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThreadToken + 6 77524B2A 4 Bytes CALL 76525132 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThreadToken + B 77524B2F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThreadTokenEx + 6 77524B3A 4 Bytes [68, 04, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtOpenThreadTokenEx + B 77524B3F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtQueryAttributesFile + 6 77524BCA 4 Bytes [A8, 00, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtQueryAttributesFile + B 77524BCF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtQueryFullAttributesFile + 6 77524C7A 4 Bytes CALL 7652527F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtQueryFullAttributesFile + B 77524C7F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtSetInformationFile + 6 7752515A 4 Bytes [28, 01, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtSetInformationFile + B 7752515F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtSetInformationThread + 6 775251AA 1 Byte [A8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtSetInformationThread + 6 775251AA 4 Bytes [A8, 03, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtSetInformationThread + B 775251AF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtUnmapViewOfSection + 6 7752544A 4 Bytes CALL 76525A53 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ntdll.dll!NtUnmapViewOfSection + B 7752544F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] kernel32.dll!CreateProcessW 76F21BF3 5 Bytes JMP 000100B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] kernel32.dll!CreateProcessA 76F21C28 5 Bytes JMP 000100F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] kernel32.dll!OpenEventW 76F3C033 5 Bytes JMP 00010070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] kernel32.dll!CreateEventW 76F6B87E 5 Bytes JMP 00010030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!DeleteObject 76275A37 5 Bytes JMP 000801B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetDeviceCaps 7627617F 5 Bytes JMP 000803B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SelectObject 762762A0 5 Bytes JMP 000805F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetTextColor 7627666B 5 Bytes JMP 00080A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetBkMode 76276716 5 Bytes JMP 000808F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!DeleteDC 762768CD 5 Bytes JMP 00080170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetCurrentObject 76276B58 5 Bytes JMP 00080370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetStretchBltMode 76277206 5 Bytes JMP 000806B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SaveDC 762775BA 5 Bytes JMP 00080570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!RestoreDC 76277675 5 Bytes JMP 00080530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!StretchDIBits 762778CF 5 Bytes JMP 00080770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!ExtSelectClipRgn 762779F8 5 Bytes JMP 000802F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SelectClipRgn 76277AF9 5 Bytes JMP 000805B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!MoveToEx 76277C33 5 Bytes JMP 00080470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!Rectangle 76277EA9 5 Bytes JMP 000809B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextAlign 762782E0 5 Bytes JMP 00080D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetTextAlign 762785CB 5 Bytes JMP 000809F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!ExtTextOutW 7627872B 5 Bytes JMP 00080970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextMetricsW 76278A81 5 Bytes JMP 00080E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!IntersectClipRect 76278B64 5 Bytes JMP 000803F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetClipBox 76279071 5 Bytes JMP 00080330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetICMMode 762794E7 5 Bytes JMP 00080DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!CreateDCW 7627A91D 5 Bytes JMP 000800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!CreateDCA 7627AA49 5 Bytes JMP 000800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!CreateICW 7627B2E9 5 Bytes JMP 00080130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextFaceW 7627B637 5 Bytes JMP 00080D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetFontData 7627BA6C 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetFontData 7627BA6C 5 Bytes JMP 00080C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextExtentPoint32W 7627C01A 5 Bytes JMP 00080670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetWorldTransform 7627C46A 5 Bytes JMP 000806F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!LineTo 7627C65E 5 Bytes JMP 00080430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextMetricsA 7627CCEB 5 Bytes JMP 00080DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!ExtTextOutA 762800A5 5 Bytes JMP 00080930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextExtentPoint32A 76280E58 5 Bytes JMP 00080630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!ExtEscape 762822A7 5 Bytes JMP 000802B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!Escape 762827F1 5 Bytes JMP 00080270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!ResetDCW 76283132 5 Bytes JMP 00080AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!EndPage 7628375E 5 Bytes JMP 00080230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetPolyFillMode 762861D3 5 Bytes JMP 00080B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SetMiterLimit 762862E2 5 Bytes JMP 00080B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetTextFaceA 7628F4C5 5 Bytes JMP 00080CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!GetGlyphOutlineW 7629A41F 5 Bytes JMP 00080CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!CreateScalableFontResourceW 7629C88B 5 Bytes JMP 00080BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!AddFontResourceW 7629CC93 5 Bytes JMP 00080BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!RemoveFontResourceW 7629D129 5 Bytes JMP 00080C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!AbortDoc 762A2CC4 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!EndDoc 762A30D8 5 Bytes JMP 000801F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!StartPage 762A31C3 5 Bytes JMP 00080730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!StartDocW 762A3CA7 5 Bytes JMP 000807F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!BeginPath 762A4465 5 Bytes JMP 00080830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!SelectClipPath 762A44BC 5 Bytes JMP 00080AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!CloseFigure 762A4517 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!EndPath 762A456E 5 Bytes JMP 00080A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!StrokePath 762A47A0 5 Bytes JMP 000807B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!FillPath 762A482C 5 Bytes JMP 00080870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!PolylineTo 762A4C95 5 Bytes JMP 000804F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!PolyBezierTo 762A4D25 5 Bytes JMP 000804B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] GDI32.dll!PolyDraw 762A4DD6 5 Bytes JMP 000808B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!SetCursor 761DD37D 5 Bytes JMP 00090530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!RegisterClipboardFormatW 761DD6AC 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!RegisterClipboardFormatW 761DD6AC 5 Bytes JMP 000902B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!ActivateKeyboardLayout 761E478C 5 Bytes JMP 000904F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!IsWindowVisible 761E878A 7 Bytes JMP 000906B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!MonitorFromWindow 761E88D4 4 Bytes JMP 00090630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!MonitorFromWindow + 5 761E88D9 2 Bytes JMP E8CCCC89 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!ScreenToClient 761E8C56 7 Bytes JMP 00090670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClientRect 761E8F0D 7 Bytes JMP 000905B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetParent 761E90AA 7 Bytes JMP 000906F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!RegisterClipboardFormatA 761EA111 5 Bytes JMP 000902F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!PostMessageW 761EA175 5 Bytes JMP 000905F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!MapWindowPoints 761EA30D 5 Bytes JMP 00090570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClipboardFormatNameA 761EA552 5 Bytes JMP 00090270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetOpenClipboardWindow 761F26A6 5 Bytes JMP 000903F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!SetClipboardViewer 761FBA2D 5 Bytes JMP 000904B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!IsClipboardFormatAvailable 761FC2E3 5 Bytes JMP 000900F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!CloseClipboard 761FC2F7 5 Bytes JMP 000900B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!OpenClipboard 761FC31D 5 Bytes JMP 00090070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetTopWindow 761FCE0A 7 Bytes JMP 00090730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClipboardSequenceNumber 761FD8B7 5 Bytes JMP 00090330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!ChangeClipboardChain 761FDF83 5 Bytes JMP 00090430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!CountClipboardFormats 76200048 5 Bytes JMP 000901F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClipboardOwner 762026EF 5 Bytes JMP 00090370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!SetClipboardData 76216410 5 Bytes JMP 00090170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!EnumClipboardFormats 76216D16 5 Bytes JMP 000901B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!SetCursorPos 76216FB2 5 Bytes JMP 00090770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClipboardData 7621715A 5 Bytes JMP 00090030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClipboardFormatNameW 7621A99F 5 Bytes JMP 00090230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!EmptyClipboard 7623398B 5 Bytes JMP 00090130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetClipboardViewer 762339ED 5 Bytes JMP 00090470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] USER32.dll!GetPriorityClipboardFormat 76233AEF 5 Bytes JMP 000903B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ole32.dll!OleGetClipboard 773E74C9 5 Bytes JMP 000A00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ole32.dll!OleSetClipboard 774111E3 5 Bytes JMP 000A0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] ole32.dll!OleIsCurrentClipboard 7741A8F9 5 Bytes JMP 000A0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!FreeContextBuffer 759F2D83 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!DeleteSecurityContext 759F2F18 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!FreeCredentialsHandle 759F3598 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!EncryptMessage 759F3745 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!DecryptMessage 759F3813 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!InitializeSecurityContextA 759F87DF 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!AcquireCredentialsHandleA 759F8A43 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!QueryContextAttributesA 759F8E77 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!ApplyControlToken 759FDE4F 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] Secur32.dll!QueryCredentialsAttributesA 759FE052 5 Bytes JMP 000C00B0 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72DD7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72E1B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72DDBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72DCF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72DD75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72DCE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [72E073F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [72DDDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72DCFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72DCFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72DC71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [72E5CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [72DFC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72DCD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72DC6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72DC687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2248] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72DD2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!MoveFileExW] 00010110 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetKeyState] 000907D0 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\ole32.dll [USER32.dll!GetKeyState] 000907D0 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!MoveFileExW] 00010110 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] 00010110 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetFocus] 00090790 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[5860] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetKeyState] 000907D0 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186be096b Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186be096b@001e3a1fc9af 0x66 0x50 0xEB 0xB9 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186be096b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186be096b@001e3a1fc9af 0x66 0x50 0xEB 0xB9 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8843B280-A2B7-C163-A61C-166D69CB3BED} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8843B280-A2B7-C163-A61C-166D69CB3BED}@bbakkhppchpnfdocljgbjjjaklaafgdjapha 0x61 0x61 0x00 0x00 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8843B280-A2B7-C163-A61C-166D69CB3BED}@abakkhppchpnfdocljlanelakjpcobmgoa 0x61 0x61 0x00 0x00 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- Files - GMER 1.0.15 ---- File C:\AdwCleaner[R1].txt 831 bytes File C:\AdwCleaner[R2].txt 771 bytes ---- EOF - GMER 1.0.15 ----