GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-12 13:54:07 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HD502HJ rev.1AJ100E4 465,76GB Running: iyrwyi5m.exe; Driver: C:\Users\Quest\AppData\Local\Temp\pwddikow.sys ---- System - GMER 2.0 ---- Code 95EA8BFC ZwTraceEvent Code 95EA8BFB NtTraceEvent ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!NtTraceEvent 82A48E34 5 Bytes JMP 95EA8C00 .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A59579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C38000, 0x227A14, 0xE8000020] ---- User code sections - GMER 2.0 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1664] kernel32.dll!SetUnhandledExceptionFilter 76C03142 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!wcsncmp + 33B 772AF580 7 Bytes JMP 6D63ED80 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 76BFC0CF 7 Bytes JMP 6D9854E2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] kernel32.dll!CloseHandle + 38 76C005EF 7 Bytes JMP 6D985505 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] kernel32.dll!GetExitCodeProcess + 2C 76C0313D 7 Bytes JMP 6D6553B7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] GDI32.dll!GetViewportOrgEx + 21C 76EA85EB 7 Bytes JMP 6D985463 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateFile + 6 77294A16 4 Bytes [28, 00, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateFile + B 77294A1B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateKey + 6 77294A56 4 Bytes [68, 01, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateKey + B 77294A5B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateMutant + 6 77294A96 4 Bytes [68, 02, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateMutant + B 77294A9B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateSection + 6 77294B36 4 Bytes [A8, 02, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtCreateSection + B 77294B3B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtMapViewOfSection + 6 77295076 4 Bytes CALL 7629677F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtMapViewOfSection + B 7729507B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenFile + 6 77295126 4 Bytes [68, 00, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenFile + B 7729512B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenKey + 6 77295156 4 Bytes [A8, 01, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenKey + B 7729515B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenKeyEx + 6 77295166 4 Bytes CALL 7629686C C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenKeyEx + B 7729516B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenMutant + 6 772951A6 4 Bytes [28, 02, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenMutant + B 772951AB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcess + 6 772951D6 1 Byte [68] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcess + 6 772951D6 4 Bytes [68, 03, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcess + B 772951DB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcessToken + 6 772951E6 1 Byte [A8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcessToken + 6 772951E6 4 Bytes [A8, 03, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcessToken + B 772951EB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcessTokenEx + 6 772951F6 4 Bytes [68, 04, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenProcessTokenEx + B 772951FB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenSection + 6 77295216 4 Bytes CALL 7629691D C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenSection + B 7729521B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThread + 6 77295256 1 Byte [28] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThread + 6 77295256 4 Bytes [28, 03, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThread + B 7729525B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThreadToken + 6 77295266 4 Bytes [28, 04, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThreadToken + B 7729526B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThreadTokenEx + 6 77295276 4 Bytes [A8, 04, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtOpenThreadTokenEx + B 7729527B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtQueryAttributesFile + 6 77295386 4 Bytes [A8, 00, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtQueryAttributesFile + B 7729538B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtQueryFullAttributesFile + 6 77295436 4 Bytes CALL 76296B3B C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtQueryFullAttributesFile + B 7729543B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtSetInformationFile + 6 77295A86 4 Bytes [28, 01, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtSetInformationFile + B 77295A8B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtSetInformationThread + 6 77295AE6 1 Byte [E8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtSetInformationThread + 6 77295AE6 4 Bytes CALL 762971EE C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtSetInformationThread + B 77295AEB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtUnmapViewOfSection + 6 77295E06 4 Bytes [28, 05, 17, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ntdll.dll!NtUnmapViewOfSection + B 77295E0B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] kernel32.dll!CreateProcessW 76BB202D 5 Bytes JMP 00010030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] kernel32.dll!CreateProcessA 76BB2062 5 Bytes JMP 00010070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SelectObject 76EA61D0 5 Bytes JMP 002A05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetTextColor 76EA6622 5 Bytes JMP 002A0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetBkMode 76EA66CD 5 Bytes JMP 002A08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!DeleteObject 76EA68B4 5 Bytes JMP 002A01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!DeleteDC 76EA6A2C 5 Bytes JMP 002A0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!ExtSelectClipRgn 76EA6C72 5 Bytes JMP 002A02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SelectClipRgn 76EA6D84 5 Bytes JMP 002A05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetDeviceCaps 76EA6E03 5 Bytes JMP 002A03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetStretchBltMode 76EA73CE 5 Bytes JMP 002A06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetCurrentObject 76EA777C 5 Bytes JMP 002A0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextMetricsW 76EA798F 5 Bytes JMP 002A0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!IntersectClipRect 76EA7CCA 5 Bytes JMP 002A03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextAlign 76EA7D15 5 Bytes JMP 002A0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetTextAlign 76EA7F92 5 Bytes JMP 002A09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!ExtTextOutW 76EA8053 5 Bytes JMP 002A0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetClipBox 76EA81F2 5 Bytes JMP 002A0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!MoveToEx 76EA8A16 5 Bytes JMP 002A0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!CreateDCA 76EA9975 5 Bytes JMP 002A00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!RestoreDC 76EA9A10 5 Bytes JMP 002A0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SaveDC 76EA9AD2 5 Bytes JMP 002A0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!StretchDIBits 76EAAC38 5 Bytes JMP 002A0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextFaceW 76EAB4CC 5 Bytes JMP 002A0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextExtentPoint32W 76EAB535 5 Bytes JMP 002A0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetFontData 76EAB8E8 5 Bytes JMP 002A0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!CreateDCW 76EABD21 5 Bytes JMP 002A00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!CreateICW 76EAC660 5 Bytes JMP 002A0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!LineTo 76EACA20 5 Bytes JMP 002A0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetWorldTransform 76EACB42 5 Bytes JMP 002A06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextMetricsA 76EACE46 5 Bytes JMP 002A0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!Rectangle 76EAF5BE 5 Bytes JMP 002A09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetICMMode 76EAF8D4 5 Bytes JMP 002A0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!ExtTextOutA 76EB0158 5 Bytes JMP 002A0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextExtentPoint32A 76EB08BB 5 Bytes JMP 002A0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!Escape 76EB0B0D 5 Bytes JMP 002A0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!ExtEscape 76EB3472 5 Bytes JMP 002A02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetTextFaceA 76EB3E49 5 Bytes JMP 002A0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetPolyFillMode 76EB6CE1 5 Bytes JMP 002A0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SetMiterLimit 76EB6E54 5 Bytes JMP 002A0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!ResetDCW 76EC031C 5 Bytes JMP 002A0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!EndPage 76EC07CD 5 Bytes JMP 002A0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!GetGlyphOutlineW 76ECC292 5 Bytes JMP 002A0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!CreateScalableFontResourceW 76ECE8EF 5 Bytes JMP 002A0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!AddFontResourceW 76ECECEB 5 Bytes JMP 002A0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!RemoveFontResourceW 76ECF1E1 5 Bytes JMP 002A0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!AbortDoc 76ED4D37 5 Bytes JMP 002A0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!EndDoc 76ED517E 5 Bytes JMP 002A01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!StartPage 76ED5269 5 Bytes JMP 002A0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!StartDocW 76ED5BB6 5 Bytes JMP 002A07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!BeginPath 76ED635D 5 Bytes JMP 002A0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!SelectClipPath 76ED63B4 5 Bytes JMP 002A0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!CloseFigure 76ED640F 5 Bytes JMP 002A0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!EndPath 76ED6466 5 Bytes JMP 002A0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!StrokePath 76ED6699 5 Bytes JMP 002A07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!FillPath 76ED6726 5 Bytes JMP 002A0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!PolylineTo 76ED6B94 5 Bytes JMP 002A04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!PolyBezierTo 76ED6C25 5 Bytes JMP 002A04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] GDI32.dll!PolyDraw 76ED6CD7 5 Bytes JMP 002A08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!ActivateKeyboardLayout 76A4817D 5 Bytes JMP 002B04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!ScreenToClient 76A4C1F2 7 Bytes JMP 002B0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!RegisterClipboardFormatA 76A4E6B1 5 Bytes JMP 002B02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!RegisterClipboardFormatW 76A4EDFD 5 Bytes JMP 002B02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!SetCursor 76A552EA 5 Bytes JMP 002B0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!MonitorFromWindow 76A5590A 7 Bytes JMP 002B0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!PostMessageW 76A56225 5 Bytes JMP 002B05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!IsWindowVisible 76A56939 7 Bytes JMP 002B06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClientRect 76A574B1 7 Bytes JMP 002B05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!MapWindowPoints 76A57915 5 Bytes JMP 002B0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetParent 76A57AB3 7 Bytes JMP 002B06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!SetClipboardData 76A64979 5 Bytes JMP 002B0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!EmptyClipboard 76A64A28 5 Bytes JMP 002B0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClipboardData 76A64B47 5 Bytes JMP 002B0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!EnumClipboardFormats 76A64D98 5 Bytes JMP 002B01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClipboardFormatNameW 76A67EB2 5 Bytes JMP 002B0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!SetClipboardViewer 76A68F4D 5 Bytes JMP 002B04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClipboardFormatNameA 76A68F61 5 Bytes JMP 002B0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetOpenClipboardWindow 76A6902F 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetOpenClipboardWindow 76A6902F 5 Bytes JMP 002B03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!ChangeClipboardChain 76A73425 5 Bytes JMP 002B0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetTopWindow 76A73A5D 7 Bytes JMP 002B0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!CloseClipboard 76A75BA7 5 Bytes JMP 002B00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!OpenClipboard 76A75BB9 5 Bytes JMP 002B0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!IsClipboardFormatAvailable 76A75C3A 5 Bytes JMP 002B00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClipboardSequenceNumber 76A75C4E 5 Bytes JMP 002B0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClipboardOwner 76A75C60 5 Bytes JMP 002B0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!CountClipboardFormats 76A75DC9 5 Bytes JMP 002B01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!SetCursorPos 76A8C1D8 5 Bytes JMP 002B0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetClipboardViewer 76AA4B57 5 Bytes JMP 002B0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] USER32.dll!GetPriorityClipboardFormat 76AA4C59 5 Bytes JMP 002B03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ole32.dll!OleSetClipboard 76F4F1F6 5 Bytes JMP 002C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ole32.dll!OleIsCurrentClipboard 76F52370 5 Bytes JMP 002C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_5_502_135.exe[3144] ole32.dll!OleGetClipboard 76F7F71D 5 Bytes JMP 002C00B0 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3800] USER32.dll!GetWindowInfo 76A56A82 5 Bytes JMP 6D7FA642 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3800] USER32.dll!MenuItemFromPoint + F 76A74B36 7 Bytes JMP 6D7FAC18 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F8250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F82494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F65624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F656E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F78573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F74D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F750CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F751A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73F766D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F782CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F78819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F7907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F7E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[320] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F74C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6735F2A8-388C-276F-2CA7-F6A5898D655D} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6735F2A8-388C-276F-2CA7-F6A5898D655D}@ianpopinkbfpibcmpe 0x6B 0x61 0x62 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6735F2A8-388C-276F-2CA7-F6A5898D655D}@hahpabnkbehbkmjb 0x6B 0x61 0x62 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6735F2A8-388C-276F-2CA7-F6A5898D655D}@iabbgeimdcgdihccad 0x63 0x61 0x6D 0x6B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0}@hakkdpdbdoebhonm 0x6B 0x61 0x6D 0x66 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0}@iamlfipnjcmbcfonch 0x63 0x61 0x62 0x67 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0}@iaalncbiokmpnijaca 0x6B 0x61 0x6D 0x66 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0}@dbmfchfjcnmmekobicdedblcoimkjccnlepkmlkf 0x68 0x61 0x66 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0}@jbmfchfjcnmmekobicdegpdofopdmegbhldafblkknphcfeklikj 0x68 0x61 0x66 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6B6328F9-81B2-3122-E7E0-6CC39D1019E0}@dbmfchfjcnmmekobicdeebobjdjpcjamodfaahdk 0x62 0x61 0x6B 0x65 ... ---- EOF - GMER 2.0 ----