GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-09 18:54:34 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB Running: 4jfns20z.exe; Driver: C:\Users\Artur\AppData\Local\Temp\pgtdypow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002ff4000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002ff402f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88005701d64 12 bytes {MOV RAX, 0xfffffa80066222a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2000] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000751887b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[2000] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Windows\AsScrPro.exe[2776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Windows\AsScrPro.exe[2776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[3736] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[3736] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[3384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759c2da4 5 bytes JMP 000000016e379ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000759dcbf3 5 bytes JMP 000000016e4c91b6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000759dcfca 5 bytes JMP 000000016e2d189b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000759fcb0c 5 bytes JMP 000000016e4c9151 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000759fce64 5 bytes JMP 000000016e4c921b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075a0fbd1 5 bytes JMP 000000016e4c90d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075a0fc9d 5 bytes JMP 000000016e4c905f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075a0fcd6 5 bytes JMP 000000016e4c8ffb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075a0fcfa 5 bytes JMP 000000016e4c8f97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076e493ec 5 bytes JMP 000000016e4c93d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000073a6388e 5 bytes JMP 000000016e4c9280 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073b07922 5 bytes JMP 000000016e4c9328 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075582694 5 bytes JMP 000000016e4c95c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4712] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 0000000076f739ca 7 bytes JMP 000000010272f630 ? C:\Windows\system32\mssprxy.dll [4712] entry point in ".rdata" section 000000006ebf71e6 ? C:\Windows\System32\NLSData0000.dll [4712] entry point in ".rdata" section 000000006de7c541 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe[6112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe[6112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000077a125fd 6 bytes JMP 000000016e398054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077a22a63 6 bytes JMP 000000016e33980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000751834b5 5 bytes JMP 000000016e3375e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759b8a29 5 bytes JMP 000000016e3a03df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000759bd22e 5 bytes JMP 000000016e343643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759c291f 5 bytes JMP 000000016e31dda7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759c2da4 5 bytes JMP 000000016e379ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000759c6285 5 bytes JMP 000000016e397ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759c7603 5 bytes JMP 000000016e3725b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000759cb029 5 bytes JMP 000000016e4c9558 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000759cc63e 5 bytes JMP 000000016e4c9590 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000759d50ed 5 bytes JMP 000000016e4c9c52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000759d5246 5 bytes JMP 000000016e4c94e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!EndDialog 00000000759db99c 5 bytes JMP 000000016e4c9f26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000759dc701 5 bytes JMP 000000016e4c9c7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000759dcbf3 5 bytes JMP 000000016e4c91b6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000759dcfca 5 bytes JMP 000000016e2d189b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759deb96 5 bytes JMP 000000016e31decd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000759df52b 5 bytes JMP 000000016e3bed14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!SendInput 00000000759dff4a 5 bytes JMP 000000016e4ca519 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000759e10dc 5 bytes JMP 000000016e4c9520 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000759e14b2 5 bytes JMP 000000016e4ca571 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!SetCursorPos 00000000759f9cfd 5 bytes JMP 000000016e4ca5f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000759fcb0c 5 bytes JMP 000000016e4c9151 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000759fce64 5 bytes JMP 000000016e4c921b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075a0fbd1 5 bytes JMP 000000016e4c90d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075a0fc9d 5 bytes JMP 000000016e4c905f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075a0fcd6 5 bytes JMP 000000016e4c8ffb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075a0fcfa 5 bytes JMP 000000016e4c8f97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a102bf 5 bytes JMP 000000016e4ca4d6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075b46143 5 bytes JMP 000000016e4c9984 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076de3e59 5 bytes JMP 000000016e4c9a7c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076de3eae 5 bytes JMP 000000016e4c9afa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076de4731 5 bytes JMP 000000016e4c99ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076de5dee 5 bytes JMP 000000016e4c9a9a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076e493ec 5 bytes JMP 000000016e4c93d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000073a6388e 5 bytes JMP 000000016e4c9280 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073b07922 5 bytes JMP 000000016e4c9328 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000755733a3 5 bytes JMP 000000016e4c966c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075582694 5 bytes JMP 000000016e4c95c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 000000007558e8ff 5 bytes JMP 000000016e4c9738 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[8844] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 0000000076f739ca 7 bytes JMP 000000010306f630 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000077a125fd 6 bytes JMP 000000016e398054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077a22a63 6 bytes JMP 000000016e33980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000751834b5 5 bytes JMP 000000016e3375e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000759b8a29 5 bytes JMP 000000016e3a03df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000759bd22e 5 bytes JMP 000000016e343643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000759c291f 5 bytes JMP 000000016e31dda7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000759c2da4 5 bytes JMP 000000016e379ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000759c6285 5 bytes JMP 000000016e397ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759c7603 5 bytes JMP 000000016e3725b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000759cb029 5 bytes JMP 000000016e4c9558 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000759cc63e 5 bytes JMP 000000016e4c9590 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000759d50ed 5 bytes JMP 000000016e4c9c52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 00000000759d5246 5 bytes JMP 000000016e4c94e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!EndDialog 00000000759db99c 5 bytes JMP 000000016e4c9f26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 00000000759dc701 5 bytes JMP 000000016e4c9c7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000759dcbf3 5 bytes JMP 000000016e4c91b6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000759dcfca 5 bytes JMP 000000016e2d189b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 00000000759deb96 5 bytes JMP 000000016e31decd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000759df52b 5 bytes JMP 000000016e3bed14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!SendInput 00000000759dff4a 5 bytes JMP 000000016e4ca519 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000759e10dc 5 bytes JMP 000000016e4c9520 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000759e14b2 5 bytes JMP 000000016e4ca571 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!SetCursorPos 00000000759f9cfd 5 bytes JMP 000000016e4ca5f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000759fcb0c 5 bytes JMP 000000016e4c9151 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000759fce64 5 bytes JMP 000000016e4c921b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075a0fbd1 5 bytes JMP 000000016e4c90d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075a0fc9d 5 bytes JMP 000000016e4c905f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000075a0fcd6 5 bytes JMP 000000016e4c8ffb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000075a0fcfa 5 bytes JMP 000000016e4c8f97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075a102bf 5 bytes JMP 000000016e4ca4d6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075b46143 5 bytes JMP 000000016e4c9984 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076de3e59 5 bytes JMP 000000016e4c9a7c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076de3eae 5 bytes JMP 000000016e4c9afa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076de4731 5 bytes JMP 000000016e4c99ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076de5dee 5 bytes JMP 000000016e4c9a9a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076e493ec 5 bytes JMP 000000016e4c93d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000779b1465 2 bytes [9B, 77] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779b14bb 2 bytes [9B, 77] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000073a6388e 5 bytes JMP 000000016e4c9280 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073b07922 5 bytes JMP 000000016e4c9328 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000755733a3 5 bytes JMP 000000016e4c966c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000075582694 5 bytes JMP 000000016e4c95c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 000000007558e8ff 5 bytes JMP 000000016e4c9738 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[844] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 0000000076f739ca 7 bytes JMP 000000010366f630 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff880010ae650] \SystemRoot\System32\Drivers\spus.sys [unknown section] IAT C:\Windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880010ae5dc] \SystemRoot\System32\Drivers\spus.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800107935c] \SystemRoot\System32\Drivers\spus.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001079224] \SystemRoot\System32\Drivers\spus.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001079a24] \SystemRoot\System32\Drivers\spus.sys [unknown section] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001079ba0] \SystemRoot\System32\Drivers\spus.sys [unknown section] ---- Devices - GMER 2.1 ---- Device \Driver\JMCR \Device\Scsi\JMCR1 fffffa800686b2c0 Device \Driver\JMCR \Device\Scsi\JMCR2 fffffa800686b2c0 Device \Driver\JMCR \Device\Scsi\JMCR3 fffffa800686b2c0 Device \Driver\JMCR \Device\Scsi\JMCR4 fffffa800686b2c0 Device \FileSystem\Ntfs \Ntfs fffffa800400c2c0 Device \FileSystem\fastfat \Fat fffffa800b2342c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80066272c0 Device \Driver\cdrom \Device\CdRom0 fffffa80062d42c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80066272c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{9E50990B-28C9-49D6-8F8F-B82C3506FAE4} fffffa80065522c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1D40BFA3-221A-4490-A6C3-F9CC9B9BB2AA} fffffa80065522c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{5615034D-B199-433C-B4E8-441637DB1653} fffffa80065522c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80066272c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80040002c0 Device \Driver\volmgr \Device\FtControl fffffa80040002c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80040002c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80040002c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80040002c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{297DFC03-47D9-4E1C-A668-FBC435AA79DF} fffffa80065522c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80065522c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80066272c0 Device \Driver\JMCR \Device\ScsiPort1 fffffa800686b2c0 Device \Driver\JMCR \Device\ScsiPort2 fffffa800686b2c0 Device \Driver\JMCR \Device\ScsiPort3 fffffa800686b2c0 Device \Driver\JMCR \Device\ScsiPort4 fffffa800686b2c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [4712:5448] 000000000272cf10 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [4712:3540] 000000000272b9f0 Thread C:\Windows\SysWOW64\svchost.exe [4520:8748] 0000000070b385a0 Thread C:\Windows\SysWOW64\svchost.exe [4520:7816] 0000000070b37f90 Thread C:\Windows\SysWOW64\svchost.exe [4520:9692] 0000000070b37f50 ---- Processes - GMER 2.1 ---- Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\wininit.exe [544] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [896] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [992] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [396] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [1140] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1512] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\spoolsv.exe [1608] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2000] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Hamachi\hamachi-2.exe [304] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [2204] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Hamachi\hamachi-2-ui.exe [2404] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSService.exe [3584] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd570000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [3384] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [3692] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4712] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [8844] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [844] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072b10000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x09 0x2B 0x12 ... Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x09 0x2B 0x12 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files (x86)\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x22 0xF4 0x16 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEB 0xCC 0x93 0xB4 ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable ---- EOF - GMER 2.1 ----