GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-10 18:22:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB Running: 4jfns20z.exe; Driver: C:\Users\Artur\AppData\Local\Temp\pgtdypow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80002fa4000 45 bytes [00, 00, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff80002fa402f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1244] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000761787b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1244] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1244] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[3632] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe[3632] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ff2da4 5 bytes JMP 000000016e789ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007600cbf3 5 bytes JMP 000000016e8d91b6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007600cfca 5 bytes JMP 000000016e6e189b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007602cb0c 5 bytes JMP 000000016e8d9151 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007602ce64 5 bytes JMP 000000016e8d921b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007603fbd1 5 bytes JMP 000000016e8d90d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007603fc9d 5 bytes JMP 000000016e8d905f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007603fcd6 5 bytes JMP 000000016e8d8ffb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007603fcfa 5 bytes JMP 000000016e8d8f97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000768c93ec 5 bytes JMP 000000016e8d93d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007336388e 5 bytes JMP 000000016e8d9280 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073407922 5 bytes JMP 000000016e8d9328 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000760f2694 5 bytes JMP 000000016e8d95c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4192] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 0000000074c239ca 7 bytes JMP 000000010280f630 ? C:\Windows\system32\mssprxy.dll [4192] entry point in ".rdata" section 00000000747971e6 ? C:\Windows\System32\NLSData0000.dll [4192] entry point in ".rdata" section 000000006a72c541 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000773125fd 6 bytes JMP 000000016e7a8054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077322a63 6 bytes JMP 000000016e74980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000761734b5 5 bytes JMP 000000016e7475e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075fe8a29 5 bytes JMP 000000016e7b03df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075fed22e 5 bytes JMP 000000016e753643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ff291f 5 bytes JMP 000000016e72dda7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ff2da4 5 bytes JMP 000000016e789ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075ff6285 5 bytes JMP 000000016e7a7ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ff7603 5 bytes JMP 000000016e7825b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 0000000075ffb029 5 bytes JMP 000000016e8d9558 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 0000000075ffc63e 5 bytes JMP 000000016e8d9590 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760050ed 5 bytes JMP 000000016e8d9c52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076005246 5 bytes JMP 000000016e8d94e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!EndDialog 000000007600b99c 5 bytes JMP 000000016e8d9f26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 000000007600c701 5 bytes JMP 000000016e8d9c7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007600cbf3 5 bytes JMP 000000016e8d91b6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007600cfca 5 bytes JMP 000000016e6e189b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007600eb96 5 bytes JMP 000000016e72decd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007600f52b 5 bytes JMP 000000016e7ced14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!SendInput 000000007600ff4a 5 bytes JMP 000000016e8da519 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760110dc 5 bytes JMP 000000016e8d9520 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760114b2 5 bytes JMP 000000016e8da571 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076029cfd 3 bytes JMP 000000016e8da5f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!SetCursorPos + 4 0000000076029d01 1 byte [F8] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007602cb0c 5 bytes JMP 000000016e8d9151 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007602ce64 5 bytes JMP 000000016e8d921b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007603fbd1 5 bytes JMP 000000016e8d90d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007603fc9d 5 bytes JMP 000000016e8d905f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007603fcd6 5 bytes JMP 000000016e8d8ffb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007603fcfa 5 bytes JMP 000000016e8d8f97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\USER32.dll!keybd_event 00000000760402bf 5 bytes JMP 000000016e8da4d6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076546143 5 bytes JMP 000000016e8d9984 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076863e59 5 bytes JMP 000000016e8d9a7c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076863eae 5 bytes JMP 000000016e8d9afa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076864731 5 bytes JMP 000000016e8d99ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076865dee 5 bytes JMP 000000016e8d9a9a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000768c93ec 5 bytes JMP 000000016e8d93d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007336388e 5 bytes JMP 000000016e8d9280 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073407922 5 bytes JMP 000000016e8d9328 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000760e33a3 5 bytes JMP 000000016e8d966c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000760f2694 5 bytes JMP 000000016e8d95c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 00000000760fe8ff 5 bytes JMP 000000016e8d9738 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4252] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 0000000074c239ca 7 bytes JMP 000000010310f630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_7_700_169_ActiveX.exe[4492] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000773125fd 6 bytes JMP 000000016e7a8054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077322a63 6 bytes JMP 000000016e74980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000761734b5 5 bytes JMP 000000016e7475e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000075fe8a29 5 bytes JMP 000000016e7b03df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000075fed22e 5 bytes JMP 000000016e753643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ff291f 5 bytes JMP 000000016e72dda7 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ff2da4 5 bytes JMP 000000016e789ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000075ff6285 5 bytes JMP 000000016e7a7ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ff7603 5 bytes JMP 000000016e7825b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 0000000075ffb029 5 bytes JMP 000000016e8d9558 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 0000000075ffc63e 5 bytes JMP 000000016e8d9590 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000760050ed 5 bytes JMP 000000016e8d9c52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000076005246 5 bytes JMP 000000016e8d94e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!EndDialog 000000007600b99c 5 bytes JMP 000000016e8d9f26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 000000007600c701 5 bytes JMP 000000016e8d9c7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007600cbf3 5 bytes JMP 000000016e8d91b6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007600cfca 5 bytes JMP 000000016e6e189b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007600eb96 5 bytes JMP 000000016e72decd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007600f52b 5 bytes JMP 000000016e7ced14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!SendInput 000000007600ff4a 5 bytes JMP 000000016e8da519 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000760110dc 5 bytes JMP 000000016e8d9520 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000760114b2 5 bytes JMP 000000016e8da571 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000076029cfd 3 bytes JMP 000000016e8da5f2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!SetCursorPos + 4 0000000076029d01 1 byte [F8] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007602cb0c 5 bytes JMP 000000016e8d9151 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007602ce64 5 bytes JMP 000000016e8d921b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007603fbd1 5 bytes JMP 000000016e8d90d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007603fc9d 5 bytes JMP 000000016e8d905f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007603fcd6 5 bytes JMP 000000016e8d8ffb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007603fcfa 5 bytes JMP 000000016e8d8f97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\USER32.dll!keybd_event 00000000760402bf 5 bytes JMP 000000016e8da4d6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076546143 5 bytes JMP 000000016e8d9984 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076863e59 5 bytes JMP 000000016e8d9a7c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076863eae 5 bytes JMP 000000016e8d9afa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076864731 5 bytes JMP 000000016e8d99ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076865dee 5 bytes JMP 000000016e8d9a9a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000768c93ec 5 bytes JMP 000000016e8d93d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bb1465 2 bytes [BB, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bb14bb 2 bytes [BB, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007336388e 5 bytes JMP 000000016e8d9280 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073407922 5 bytes JMP 000000016e8d9328 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000760e33a3 5 bytes JMP 000000016e8d966c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000760f2694 5 bytes JMP 000000016e8d95c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 00000000760fe8ff 5 bytes JMP 000000016e8d9738 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\WINTRUST.dll!WinVerifyTrust 0000000075be2674 2 bytes {JMP 0xfffffffffffffffb} .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4740] C:\Windows\syswow64\CRYPT32.dll!CryptImportPublicKeyInfoEx + 152 0000000074c239ca 7 bytes JMP 000000010650f630 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1624:3960] 000007fefb1d10c8 Thread C:\Windows\System32\spoolsv.exe [1624:3992] 000007fef3596144 Thread C:\Windows\System32\spoolsv.exe [1624:3996] 000007fef3385fd0 Thread C:\Windows\System32\spoolsv.exe [1624:4000] 000007fef7243438 Thread C:\Windows\System32\spoolsv.exe [1624:4004] 000007fef33863ec Thread C:\Windows\System32\spoolsv.exe [1624:4016] 000007fefb205e5c Thread C:\Windows\System32\spoolsv.exe [1624:4028] 000007fefb215074 Thread C:\Windows\system32\svchost.exe [2388:4104] 000007fef1f8f130 Thread C:\Windows\system32\svchost.exe [2388:4120] 000007fef1f84734 Thread C:\Windows\system32\svchost.exe [2388:1348] 000007fef1f84734 Thread C:\Windows\system32\svchost.exe [2388:3416] 000007fef8c35124 Thread [2508:2748] 0000000077333e45 Thread [2508:2860] 0000000075bc7587 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3472:3364] 000007fefba22a7c Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [4192:4248] 000000000280cf10 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [4192:4264] 000000000280b9f0 Thread C:\Windows\SysWOW64\svchost.exe [3264:3896] 00000000746385a0 Thread C:\Windows\SysWOW64\svchost.exe [3264:4624] 0000000074637f90 Thread C:\Windows\SysWOW64\svchost.exe [3264:4736] 0000000074637f50 ---- Processes - GMER 2.1 ---- Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [988] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd1f0000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [376] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd1f0000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [1120] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd1f0000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1540] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd1f0000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1244] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Hamachi\hamachi-2-ui.exe [2212] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 Library \\.\globalroot\systemroot\system32\mswsock.dll (*** suspicious ***) @ C:\Windows\system32\svchost.exe [2388] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:19) 000007fefd1f0000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4192] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4252] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [3656] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2864] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 Library \\.\globalroot\systemroot\syswow64\mswsock.dll (*** suspicious ***) @ C:\Program Files (x86)\Internet Explorer\iexplore.exe [4740] (Microsoft Windows Sockets 2.0 Service Provider/Microsoft Corporation SIGNED)(2011-07-02 13:59:02) 0000000072420000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x09 0x2B 0x12 ... Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Shares@[\1c\0i\0\5\1g\0n\0i\0\31\1t\0e CSCFlags=2048?MaxUses=4294967295?Path=D:\?ci?gni?te?Permissions=0?Remark=?ShareName=?ci?gni?te?Type=0? Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x09 0x2B 0x12 ... ---- Files - GMER 2.1 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\errorPageStrings[2] 0 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\ErrorPageTemplate[1] 2168 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\bullet[2] 447 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\httpErrorPagesScripts[1] 5573 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\FN3KZE3S.txt 0 bytes File C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5N4T3L29.txt 0 bytes ---- EOF - GMER 2.1 ----