GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-16 10:00:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AR1 931,51GB Running: mcd2g8cl.exe; Driver: C:\Users\NatMar\AppData\Local\Temp\awrdqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000071ca1a22 2 bytes [CA, 71] .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000071ca1ad0 2 bytes [CA, 71] .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000071ca1b08 2 bytes [CA, 71] .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000071ca1bba 2 bytes [CA, 71] .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000071ca1bda 2 bytes [CA, 71] .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\windows\SysWOW64\PnkBstrA.exe[2144] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2840] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2840] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[1516] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[1516] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1316] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\Samsung\Kies\Kies.exe[1316] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4600] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4600] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007767f991 8 bytes {MOV EDX, 0x903e8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 000000007767f99b 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenKey + 5 000000007767fa0d 8 bytes {MOV EDX, 0x901a8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenKey + 15 000000007767fa17 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateKey + 5 000000007767fb25 8 bytes {MOV EDX, 0x90168; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateKey + 15 000000007767fb2f 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007767fbd5 8 bytes {MOV EDX, 0x90428; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 000000007767fbdf 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007767fc05 8 bytes {MOV EDX, 0x90368; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 000000007767fc0f 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007767fc1d 8 bytes {MOV EDX, 0x90128; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 000000007767fc27 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007767fc35 8 bytes {MOV EDX, 0x904e8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 000000007767fc3f 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007767fc65 8 bytes {MOV EDX, 0x90528; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 000000007767fc6f 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007767fce5 8 bytes {MOV EDX, 0x904a8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 000000007767fcef 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007767fcfd 8 bytes {MOV EDX, 0x90468; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 000000007767fd07 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007767fd49 8 bytes {MOV EDX, 0x90068; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 15 000000007767fd53 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 5 000000007767fdad 8 bytes {MOV EDX, 0x902e8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenSection + 15 000000007767fdb7 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007767fe41 8 bytes {MOV EDX, 0x900a8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 000000007767fe4b 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 5 000000007767ff89 8 bytes {MOV EDX, 0x902a8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateSection + 15 000000007767ff93 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077680099 8 bytes {MOV EDX, 0x90028; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 15 00000000776800a3 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 0000000077680781 8 bytes {MOV EDX, 0x90268; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 000000007768078b 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077680ffd 8 bytes {MOV EDX, 0x901e8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 0000000077681007 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 000000007768105d 8 bytes {MOV EDX, 0x90228; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 0000000077681067 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000776810a5 8 bytes {MOV EDX, 0x903a8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 00000000776810af 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007768111d 8 bytes {MOV EDX, 0x90328; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077681127 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077681321 8 bytes {MOV EDX, 0x900e8; JMP RDX} .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 000000007768132b 1 byte [90] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\kernel32.dll!CreateProcessW 0000000075ac103d 5 bytes JMP 0000000100010030 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\kernel32.dll!CreateProcessA 0000000075ac1072 5 bytes JMP 0000000100010070 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\KERNELBASE.dll!CreateEventW 00000000757a119f 5 bytes JMP 0000000100020030 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\KERNELBASE.dll!OpenEventW 00000000757a11cf 5 bytes JMP 0000000100020070 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetDeviceCaps 00000000758b4de0 5 bytes JMP 00000001000b03b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SelectObject 00000000758b4f70 5 bytes JMP 00000001000b05f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetBkMode 00000000758b51a2 5 bytes JMP 00000001000b08f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetTextColor 00000000758b522d 5 bytes JMP 00000001000b0a30 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!DeleteObject 00000000758b5689 5 bytes JMP 00000001000b01b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!DeleteDC 00000000758b58b3 5 bytes JMP 00000001000b0170 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetCurrentObject 00000000758b6bad 5 bytes JMP 00000001000b0370 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SaveDC 00000000758b6e05 5 bytes JMP 00000001000b0570 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!RestoreDC 00000000758b6ead 5 bytes JMP 00000001000b0530 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetStretchBltMode 00000000758b7180 5 bytes JMP 00000001000b06b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!StretchDIBits 00000000758b7435 5 bytes JMP 00000001000b0770 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!CreateDCA 00000000758b7bcc 5 bytes JMP 00000001000b00b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!IntersectClipRect 00000000758b7dc4 5 bytes JMP 00000001000b03f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextAlign 00000000758b7fd5 5 bytes JMP 00000001000b0d70 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextMetricsW 00000000758b82b2 5 bytes JMP 00000001000b0e30 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetTextAlign 00000000758b8401 5 bytes JMP 00000001000b09f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!ExtSelectClipRgn 00000000758b879f 5 bytes JMP 00000001000b02f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SelectClipRgn 00000000758b8916 5 bytes JMP 00000001000b05b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!ExtTextOutW 00000000758b8b7a 5 bytes JMP 00000001000b0970 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!MoveToEx 00000000758b8ee6 5 bytes JMP 00000001000b0470 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetFontData 00000000758b9875 5 bytes JMP 00000001000b0c70 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextFaceW 00000000758b9936 5 bytes JMP 00000001000b0d30 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!Rectangle 00000000758ba53a 5 bytes JMP 00000001000b09b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetClipBox 00000000758baf9f 5 bytes JMP 00000001000b0330 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!LineTo 00000000758bb9e5 5 bytes JMP 00000001000b0430 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetICMMode 00000000758bbd55 5 bytes JMP 00000001000b0db0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!CreateICW 00000000758bc040 5 bytes JMP 00000001000b0130 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextExtentPoint32W 00000000758bc107 5 bytes JMP 00000001000b0670 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetWorldTransform 00000000758bc269 5 bytes JMP 00000001000b06f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextMetricsA 00000000758bd1f1 5 bytes JMP 00000001000b0df0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextExtentPoint32A 00000000758bd349 5 bytes JMP 00000001000b0630 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!ExtTextOutA 00000000758bdce4 5 bytes JMP 00000001000b0930 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!CreateDCW 00000000758be743 5 bytes JMP 00000001000b00f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!ExtEscape 00000000758c03b7 5 bytes JMP 00000001000b02b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!Escape 00000000758c1bda 5 bytes JMP 00000001000b0270 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetTextFaceA 00000000758c1e89 5 bytes JMP 00000001000b0cf0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetPolyFillMode 00000000758c4843 5 bytes JMP 00000001000b0b30 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SetMiterLimit 00000000758c5690 5 bytes JMP 00000001000b0b70 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!EndPage 00000000758c6bde 5 bytes JMP 00000001000b0230 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!ResetDCW 00000000758ce2db 5 bytes JMP 00000001000b0ab0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!GetGlyphOutlineW 00000000758d940d 5 bytes JMP 00000001000b0cb0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!CreateScalableFontResourceW 00000000758dc621 5 bytes JMP 00000001000b0bb0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!AddFontResourceW 00000000758dd2b2 5 bytes JMP 00000001000b0bf0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!RemoveFontResourceW 00000000758dd919 5 bytes JMP 00000001000b0c30 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!AbortDoc 00000000758e3adc 5 bytes JMP 00000001000b0030 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!EndDoc 00000000758e3f29 5 bytes JMP 00000001000b01f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!StartPage 00000000758e401a 5 bytes JMP 00000001000b0730 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!StartDocW 00000000758e4c51 5 bytes JMP 00000001000b07f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!BeginPath 00000000758e53fd 5 bytes JMP 00000001000b0830 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!SelectClipPath 00000000758e5454 5 bytes JMP 00000001000b0af0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!CloseFigure 00000000758e54af 5 bytes JMP 00000001000b0070 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!EndPath 00000000758e5506 5 bytes JMP 00000001000b0a70 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!StrokePath 00000000758e573f 5 bytes JMP 00000001000b07b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!FillPath 00000000758e57d2 5 bytes JMP 00000001000b0870 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!PolylineTo 00000000758e5c44 5 bytes JMP 00000001000b04f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!PolyBezierTo 00000000758e5cd5 5 bytes JMP 00000001000b04b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\GDI32.dll!PolyDraw 00000000758e5d87 5 bytes JMP 00000001000b08b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!MapWindowPoints 0000000075698c40 5 bytes JMP 0000000100100570 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075699ebd 5 bytes JMP 00000001001002b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!RegisterClipboardFormatA 00000000756a0afa 5 bytes JMP 00000001001002f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClientRect 00000000756a0c62 7 bytes JMP 00000001001005b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetParent 00000000756a0f68 7 bytes JMP 00000001001006f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!IsWindowVisible 00000000756a112d 7 bytes JMP 00000001001006b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!PostMessageW 00000000756a12a5 5 bytes JMP 00000001001005f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!ScreenToClient 00000000756a227d 7 bytes JMP 0000000100100670 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!MonitorFromWindow 00000000756a3150 7 bytes JMP 0000000100100630 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!SetCursor 00000000756a41f6 5 bytes JMP 0000000100100530 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClipboardFormatNameA 00000000756a68ef 5 bytes JMP 0000000100100270 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClipboardFormatNameW 00000000756a77fa 5 bytes JMP 0000000100100230 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetTopWindow 00000000756a7887 7 bytes JMP 0000000100100730 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!IsClipboardFormatAvailable 00000000756a8676 5 bytes JMP 00000001001000f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClipboardSequenceNumber 00000000756a8696 5 bytes JMP 0000000100100330 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!CloseClipboard 00000000756a8e8d 5 bytes JMP 00000001001000b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!OpenClipboard 00000000756a8ecb 5 bytes JMP 0000000100100070 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!ChangeClipboardChain 00000000756ac17b 5 bytes JMP 0000000100100430 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!EnumClipboardFormats 00000000756ac449 5 bytes JMP 00000001001001b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetOpenClipboardWindow 00000000756ac468 5 bytes JMP 00000001001003f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!CountClipboardFormats 00000000756ac486 5 bytes JMP 00000001001001f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!SetClipboardViewer 00000000756ac4b6 5 bytes JMP 00000001001004b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!ActivateKeyboardLayout 00000000756ad6c0 5 bytes JMP 00000001001004f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClipboardOwner 00000000756ae360 5 bytes JMP 0000000100100370 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!SetClipboardData 00000000756d8e57 5 bytes JMP 0000000100100170 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!SetCursorPos 00000000756d9cfd 5 bytes JMP 0000000100100770 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClipboardData 00000000756d9f1d 5 bytes JMP 0000000100100030 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!EmptyClipboard 00000000756f7cb9 5 bytes JMP 0000000100100130 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetClipboardViewer 00000000756f8111 5 bytes JMP 0000000100100470 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\USER32.dll!GetPriorityClipboardFormat 00000000756f832f 5 bytes JMP 00000001001003b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!FreeContextBuffer 0000000074d59606 5 bytes JMP 00000001001100f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!FreeCredentialsHandle 0000000074d60581 5 bytes JMP 0000000100110130 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!DeleteSecurityContext 0000000074d60bb9 5 bytes JMP 0000000100110270 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!ApplyControlToken 0000000074d60c2e 5 bytes JMP 00000001001101b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!QueryContextAttributesA 0000000074d60f2e 5 bytes JMP 0000000100110070 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 0000000074d61096 5 bytes JMP 00000001001100b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!EncryptMessage 0000000074d6124e 5 bytes JMP 00000001001101f0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!DecryptMessage 0000000074d6129d 5 bytes JMP 0000000100110230 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 0000000074d61527 5 bytes JMP 0000000100110030 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\SspiCli.dll!InitializeSecurityContextA 0000000074d61590 5 bytes JMP 0000000100110170 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\ole32.dll!OleSetClipboard 0000000075d40045 5 bytes JMP 0000000100120030 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\ole32.dll!OleIsCurrentClipboard 0000000075d436b2 5 bytes JMP 0000000100120070 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\ole32.dll!OleGetClipboard 0000000075d6fdcd 5 bytes JMP 00000001001200b0 .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_149.exe[4268] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6048] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6048] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!EnableWindow 00000000756a2da4 5 bytes JMP 0000000162fc9eb4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000756bcbf3 5 bytes JMP 0000000163118fb6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!DialogBoxParamW 00000000756bcfca 5 bytes JMP 0000000162f21893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!DialogBoxParamA 00000000756dcb0c 5 bytes JMP 0000000163118f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000756dce64 5 bytes JMP 000000016311901b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000756efbd1 5 bytes JMP 0000000163118ed8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000756efc9d 5 bytes JMP 0000000163118e5f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!MessageBoxExA 00000000756efcd6 5 bytes JMP 0000000163118dfb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\USER32.dll!MessageBoxExW 00000000756efcfa 5 bytes JMP 0000000163118d97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000758493ec 5 bytes JMP 00000001631191d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000071f0388e 5 bytes JMP 0000000163119080 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000071fa7922 5 bytes JMP 0000000163119128 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5060] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076be2694 4 bytes JMP 00000001631193c8 ? C:\windows\system32\mssprxy.dll [5060] entry point in ".rdata" section 00000000695771e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000776925fd 6 bytes JMP 0000000162fe8042 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000776a2a63 6 bytes JMP 0000000162f89805 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\kernel32.dll!CreateThread 0000000075ac34b5 5 bytes JMP 0000000162f875db .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000075698a29 5 bytes JMP 0000000162ff03cf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CreateWindowExA 000000007569d22e 5 bytes JMP 0000000162f9363b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!GetKeyState 00000000756a291f 5 bytes JMP 0000000162f6ddab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!EnableWindow 00000000756a2da4 5 bytes JMP 0000000162fc9eb4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CallNextHookEx 00000000756a6285 5 bytes JMP 0000000162fe7fdf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756a7603 5 bytes JMP 0000000162fc25ac .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000756ab029 5 bytes JMP 0000000163119358 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000756ac63e 5 bytes JMP 0000000163119390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!IsDialogMessage 00000000756b50ed 5 bytes JMP 0000000163119a52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CreateDialogParamA 00000000756b5246 5 bytes JMP 00000001631192e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!EndDialog 00000000756bb99c 5 bytes JMP 0000000163119d26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!IsDialogMessageW 00000000756bc701 5 bytes JMP 0000000163119a7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000756bcbf3 5 bytes JMP 0000000163118fb6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!DialogBoxParamW 00000000756bcfca 5 bytes JMP 0000000162f21893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756beb96 5 bytes JMP 0000000162f6ded5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756bf52b 5 bytes JMP 000000016300ed00 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!SendInput 00000000756bff4a 5 bytes JMP 000000016311a2e9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!CreateDialogParamW 00000000756c10dc 5 bytes JMP 0000000163119320 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!SetKeyboardState 00000000756c14b2 5 bytes JMP 000000016311a341 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!SetCursorPos 00000000756d9cfd 5 bytes JMP 000000016311a3c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!DialogBoxParamA 00000000756dcb0c 5 bytes JMP 0000000163118f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000756dce64 5 bytes JMP 000000016311901b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000756efbd1 5 bytes JMP 0000000163118ed8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000756efc9d 5 bytes JMP 0000000163118e5f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!MessageBoxExA 00000000756efcd6 5 bytes JMP 0000000163118dfb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!MessageBoxExW 00000000756efcfa 5 bytes JMP 0000000163118d97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\USER32.dll!keybd_event 00000000756f02bf 5 bytes JMP 000000016311a2a6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000075ce6143 5 bytes JMP 0000000163119784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\OLEAUT32.dll!SysFreeString 00000000757e3e59 5 bytes JMP 000000016311987c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\OLEAUT32.dll!VariantClear 00000000757e3eae 5 bytes JMP 00000001631198fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000757e4731 5 bytes JMP 00000001631197ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000757e5dee 5 bytes JMP 000000016311989a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000758493ec 5 bytes JMP 00000001631191d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000071f0388e 5 bytes JMP 0000000163119080 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000071fa7922 5 bytes JMP 0000000163119128 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\comdlg32.dll!PrintDlgW 0000000076bd33a3 4 bytes JMP 000000016311946c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076be2694 4 bytes JMP 00000001631193c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[676] C:\windows\syswow64\comdlg32.dll!PrintDlgA 0000000076bee8ff 4 bytes JMP 0000000163119538 .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe[4060] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_149_ActiveX.exe[4060] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000776925fd 6 bytes JMP 0000000162fe8042 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000776a2a63 6 bytes JMP 0000000162f89805 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\kernel32.dll!CreateThread 0000000075ac34b5 5 bytes JMP 0000000162f875db .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000075698a29 5 bytes JMP 0000000162ff03cf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CreateWindowExA 000000007569d22e 5 bytes JMP 0000000162f9363b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!GetKeyState 00000000756a291f 5 bytes JMP 0000000162f6ddab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!EnableWindow 00000000756a2da4 5 bytes JMP 0000000162fc9eb4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CallNextHookEx 00000000756a6285 5 bytes JMP 0000000162fe7fdf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 00000000756a7603 5 bytes JMP 0000000162fc25ac .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000756ab029 5 bytes JMP 0000000163119358 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000756ac63e 5 bytes JMP 0000000163119390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!IsDialogMessage 00000000756b50ed 5 bytes JMP 0000000163119a52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CreateDialogParamA 00000000756b5246 5 bytes JMP 00000001631192e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!EndDialog 00000000756bb99c 5 bytes JMP 0000000163119d26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!IsDialogMessageW 00000000756bc701 5 bytes JMP 0000000163119a7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000756bcbf3 5 bytes JMP 0000000163118fb6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!DialogBoxParamW 00000000756bcfca 5 bytes JMP 0000000162f21893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!GetAsyncKeyState 00000000756beb96 5 bytes JMP 0000000162f6ded5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000756bf52b 5 bytes JMP 000000016300ed00 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!SendInput 00000000756bff4a 5 bytes JMP 000000016311a2e9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!CreateDialogParamW 00000000756c10dc 5 bytes JMP 0000000163119320 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!SetKeyboardState 00000000756c14b2 5 bytes JMP 000000016311a341 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!SetCursorPos 00000000756d9cfd 5 bytes JMP 000000016311a3c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!DialogBoxParamA 00000000756dcb0c 5 bytes JMP 0000000163118f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000756dce64 5 bytes JMP 000000016311901b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000756efbd1 5 bytes JMP 0000000163118ed8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000756efc9d 5 bytes JMP 0000000163118e5f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!MessageBoxExA 00000000756efcd6 5 bytes JMP 0000000163118dfb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!MessageBoxExW 00000000756efcfa 5 bytes JMP 0000000163118d97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\USER32.dll!keybd_event 00000000756f02bf 5 bytes JMP 000000016311a2a6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000075ce6143 5 bytes JMP 0000000163119784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\OLEAUT32.dll!SysFreeString 00000000757e3e59 5 bytes JMP 000000016311987c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\OLEAUT32.dll!VariantClear 00000000757e3eae 5 bytes JMP 00000001631198fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000757e4731 5 bytes JMP 00000001631197ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000757e5dee 5 bytes JMP 000000016311989a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000758493ec 5 bytes JMP 00000001631191d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f51465 2 bytes [F5, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f514bb 2 bytes [F5, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000071f0388e 5 bytes JMP 0000000163119080 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000071fa7922 5 bytes JMP 0000000163119128 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\comdlg32.dll!PrintDlgW 0000000076bd33a3 4 bytes JMP 000000016311946c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076be2694 4 bytes JMP 00000001631193c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3968] C:\windows\syswow64\comdlg32.dll!PrintDlgA 0000000076bee8ff 4 bytes JMP 0000000163119538 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations (null) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305268139 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b80305268139@98f537734e02 0x50 0x0A 0xB0 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca971076042 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca9710777da Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2072 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b80305268139 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b80305268139@98f537734e02 0x50 0x0A 0xB0 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca971076042 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca9710777da (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----