GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-14 19:49:56 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0003SDM1 465,76GB Running: qxtd4zz7.exe; Driver: C:\Users\Iwonka\AppData\Local\Temp\awrdypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwAlpcConnectPort [0x8FEE3BBA] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwAlpcCreatePort [0x8FEE448A] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwConnectPort [0x8FEE3610] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateFile [0x8FEDCE42] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateKey [0x8FEFE760] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreatePort [0x8FEE411A] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateProcess [0x8FEF85AE] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateProcessEx [0x8FEF89D6] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateSection [0x8FF02EE0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateUserProcess [0x8FEF8E4A] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateWaitablePort [0x8FEE4278] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteFile [0x8FEDDB7E] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteKey [0x8FF00212] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteValueKey [0x8FEFFB06] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDuplicateObject [0x8FEF738E] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKey [0x8FF00BE0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKey2 [0x8FF00E1E] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKeyEx [0x8FF012D0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenFile [0x8FEDD730] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenProcess [0x8FEFAAD4] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenThread [0x8FEFA6C2] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRenameKey [0x8FF01CB8] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwReplaceKey [0x8FF0159A] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRequestWaitReplyPort [0x8FEE31A4] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRestoreKey [0x8FF0271E] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSecureConnectPort [0x8FEE38DC] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetInformationFile [0x8FEDDF8A] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetSecurityObject [0x8FF02242] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetValueKey [0x8FEFF226] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSystemDebugControl [0x8FEF96D4] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwTerminateProcess [0x8FEF9404] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C82579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 248 82CAE748 8 Bytes [BA, 3B, EE, 8F, 8A, 44, EE, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 82CAE7DC 4 Bytes [10, 36, EE, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 2F8 82CAE7F8 4 Bytes [42, CE, ED, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 308 82CAE808 4 Bytes [60, E7, EF, 8F] .text ntkrnlpa.exe!RtlSidHashLookup + 324 82CAE824 1 Byte [1A] .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8AF99346] .text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x90A2E000, 0x2D2B8A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1576] ntdll.dll!wcsncmp + 33B 76F6F580 7 Bytes JMP 6483EEB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1576] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 7697C0CF 7 Bytes JMP 64E49778 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1576] kernel32.dll!CloseHandle + 38 769805EF 7 Bytes JMP 64E4979B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1576] kernel32.dll!GetExitCodeProcess + 2C 7698313D 7 Bytes JMP 64844CE9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1576] GDI32.dll!GetViewportOrgEx + 21C 766885EB 7 Bytes JMP 64E496F9 C:\Program Files\Mozilla Firefox\xul.dll ÒuÛŠëÔÿÿÿÿwinlogonentry point in "ÒuÛŠëÔÿÿÿÿwinlogonentry point in "" section [0x0042F485] C:\Users\Iwonka\AppData\Local\winlogon.exe[2296] C:\Users\Iwonka\AppData\Local\winlogon.exe entry point in "ÒuÛŠëÔÿÿÿÿwinlogonentry point in "" section [0x0042F485] ÒuÛŠëÔÿÿÿÿwinlogonunknown last code section [0x00425000, 0x19000, 0xC00000E0] C:\Users\Iwonka\AppData\Local\winlogon.exe[2296] C:\Users\Iwonka\AppData\Local\winlogon.exe unknown last code section [0x00425000, 0x19000, 0xC00000E0] ÒuÛŠëÔÿÿÿÿservicesentry point in "ÒuÛŠëÔÿÿÿÿservicesentry point in "" section [0x0042F485] C:\Users\Iwonka\AppData\Local\services.exe[2808] C:\Users\Iwonka\AppData\Local\services.exe entry point in "ÒuÛŠëÔÿÿÿÿservicesentry point in "" section [0x0042F485] ÒuÛŠëÔÿÿÿÿservicesunknown last code section [0x00425000, 0x19000, 0xC00000E0] C:\Users\Iwonka\AppData\Local\services.exe[2808] C:\Users\Iwonka\AppData\Local\services.exe unknown last code section [0x00425000, 0x19000, 0xC00000E0] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3820] USER32.dll!GetWindowInfo 76BF6A82 5 Bytes JMP 64D72A67 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3820] USER32.dll!MenuItemFromPoint + F 76C14B36 7 Bytes JMP 64D7306A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateFile + 6 76F54A16 4 Bytes [28, 10, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateFile + B 76F54A1B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateKey + 6 76F54A56 4 Bytes [68, 11, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateKey + B 76F54A5B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateMutant + 6 76F54A96 4 Bytes [68, 12, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateMutant + B 76F54A9B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateSection + 6 76F54B36 4 Bytes [A8, 12, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtCreateSection + B 76F54B3B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtMapViewOfSection + 6 76F55076 4 Bytes CALL 75F5578F C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtMapViewOfSection + B 76F5507B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenFile + 6 76F55126 4 Bytes [68, 10, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenFile + B 76F5512B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenKey + 6 76F55156 4 Bytes [A8, 11, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenKey + B 76F5515B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenKeyEx + 6 76F55166 4 Bytes CALL 75F5587C C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenKeyEx + B 76F5516B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenMutant + 6 76F551A6 4 Bytes [28, 12, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenMutant + B 76F551AB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenProcess + 6 76F551D6 4 Bytes [68, 13, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenProcess + B 76F551DB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenProcessToken + 6 76F551E6 4 Bytes [A8, 13, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenProcessToken + B 76F551EB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenProcessTokenEx + 6 76F551F6 4 Bytes [68, 14, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenProcessTokenEx + B 76F551FB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenSection + 6 76F55216 4 Bytes CALL 75F5592D C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenSection + B 76F5521B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenThread + 6 76F55256 4 Bytes [28, 13, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenThread + B 76F5525B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenThreadToken + 6 76F55266 4 Bytes [28, 14, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenThreadToken + B 76F5526B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenThreadTokenEx + 6 76F55276 4 Bytes [A8, 14, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtOpenThreadTokenEx + B 76F5527B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtQueryAttributesFile + 6 76F55386 4 Bytes [A8, 10, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtQueryAttributesFile + B 76F5538B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtQueryFullAttributesFile + 6 76F55436 4 Bytes CALL 75F55B4B C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtQueryFullAttributesFile + B 76F5543B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtSetInformationFile + 6 76F55A86 4 Bytes [28, 11, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtSetInformationFile + B 76F55A8B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtSetInformationThread + 6 76F55AE6 4 Bytes CALL 75F561FE C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtSetInformationThread + B 76F55AEB 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtUnmapViewOfSection + 6 76F55E06 4 Bytes [28, 15, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ntdll.dll!NtUnmapViewOfSection + B 76F55E0B 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] kernel32.dll!CreateProcessW 7693202D 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] kernel32.dll!CreateProcessA 76932062 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SelectObject 766861D0 5 Bytes JMP 000C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetTextColor 76686622 5 Bytes JMP 000C0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetBkMode 766866CD 5 Bytes JMP 000C08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!DeleteObject 766868B4 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!DeleteDC 76686A2C 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!ExtSelectClipRgn 76686C72 5 Bytes JMP 000C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SelectClipRgn 76686D84 5 Bytes JMP 000C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetDeviceCaps 76686E03 5 Bytes JMP 000C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetStretchBltMode 766873CE 5 Bytes JMP 000C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetCurrentObject 7668777C 5 Bytes JMP 000C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextMetricsW 7668798F 5 Bytes JMP 000C0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!IntersectClipRect 76687CCA 5 Bytes JMP 000C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextAlign 76687D15 5 Bytes JMP 000C0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetTextAlign 76687F92 5 Bytes JMP 000C09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!ExtTextOutW 76688053 5 Bytes JMP 000C0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetClipBox 766881F2 5 Bytes JMP 000C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!MoveToEx 76688A16 5 Bytes JMP 000C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!CreateDCA 76689975 5 Bytes JMP 000C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!RestoreDC 76689A10 5 Bytes JMP 000C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SaveDC 76689AD2 5 Bytes JMP 000C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!StretchDIBits 7668AC38 5 Bytes JMP 000C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextFaceW 7668B4CC 5 Bytes JMP 000C0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextExtentPoint32W 7668B535 5 Bytes JMP 000C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetFontData 7668B8E8 5 Bytes JMP 000C0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!CreateDCW 7668BD21 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!CreateICW 7668C660 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!LineTo 7668CA20 5 Bytes JMP 000C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetWorldTransform 7668CB42 5 Bytes JMP 000C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextMetricsA 7668CE46 5 Bytes JMP 000C0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!Rectangle 7668F5BE 5 Bytes JMP 000C09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetICMMode 7668F8D4 5 Bytes JMP 000C0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!ExtTextOutA 76690158 5 Bytes JMP 000C0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextExtentPoint32A 766908BB 5 Bytes JMP 000C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!Escape 76690B0D 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!ExtEscape 76693472 5 Bytes JMP 000C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetTextFaceA 76693E49 5 Bytes JMP 000C0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetPolyFillMode 76696CE1 5 Bytes JMP 000C0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SetMiterLimit 76696E54 5 Bytes JMP 000C0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!ResetDCW 766A031C 5 Bytes JMP 000C0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!EndPage 766A07CD 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!GetGlyphOutlineW 766AC292 5 Bytes JMP 000C0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!CreateScalableFontResourceW 766AE8EF 5 Bytes JMP 000C0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!AddFontResourceW 766AECEB 5 Bytes JMP 000C0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!RemoveFontResourceW 766AF1E1 5 Bytes JMP 000C0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!AbortDoc 766B4D37 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!EndDoc 766B517E 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!StartPage 766B5269 5 Bytes JMP 000C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!StartDocW 766B5BB6 5 Bytes JMP 000C07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!BeginPath 766B635D 5 Bytes JMP 000C0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!SelectClipPath 766B63B4 5 Bytes JMP 000C0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!CloseFigure 766B640F 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!EndPath 766B6466 5 Bytes JMP 000C0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!StrokePath 766B6699 5 Bytes JMP 000C07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!FillPath 766B6726 5 Bytes JMP 000C0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!PolylineTo 766B6B94 5 Bytes JMP 000C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!PolyBezierTo 766B6C25 5 Bytes JMP 000C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] GDI32.dll!PolyDraw 766B6CD7 5 Bytes JMP 000C08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!ActivateKeyboardLayout 76BE817D 5 Bytes JMP 000D04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!ScreenToClient 76BEC1F2 7 Bytes JMP 000D0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!RegisterClipboardFormatA 76BEE6B1 5 Bytes JMP 000D02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!RegisterClipboardFormatW 76BEEDFD 5 Bytes JMP 000D02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!SetCursor 76BF52EA 5 Bytes JMP 000D0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!MonitorFromWindow 76BF590A 7 Bytes JMP 000D0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!PostMessageW 76BF6225 5 Bytes JMP 000D05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!IsWindowVisible 76BF6939 7 Bytes JMP 000D06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClientRect 76BF74B1 7 Bytes JMP 000D05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!MapWindowPoints 76BF7915 5 Bytes JMP 000D0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetParent 76BF7AB3 7 Bytes JMP 000D06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!SetClipboardData 76C04979 5 Bytes JMP 000D0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!EmptyClipboard 76C04A28 5 Bytes JMP 000D0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClipboardData 76C04B47 5 Bytes JMP 000D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!EnumClipboardFormats 76C04D98 5 Bytes JMP 000D01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClipboardFormatNameW 76C07EB2 5 Bytes JMP 000D0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!SetClipboardViewer 76C08F4D 5 Bytes JMP 000D04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClipboardFormatNameA 76C08F61 5 Bytes JMP 000D0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetOpenClipboardWindow 76C0902F 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetOpenClipboardWindow 76C0902F 5 Bytes JMP 000D03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!ChangeClipboardChain 76C13425 5 Bytes JMP 000D0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetTopWindow 76C13A5D 7 Bytes JMP 000D0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!CloseClipboard 76C15BA7 5 Bytes JMP 000D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!OpenClipboard 76C15BB9 5 Bytes JMP 000D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!IsClipboardFormatAvailable 76C15C3A 5 Bytes JMP 000D00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClipboardSequenceNumber 76C15C4E 5 Bytes JMP 000D0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClipboardOwner 76C15C60 5 Bytes JMP 000D0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!CountClipboardFormats 76C15DC9 5 Bytes JMP 000D01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!SetCursorPos 76C2C1D8 5 Bytes JMP 000D0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetClipboardViewer 76C44B57 5 Bytes JMP 000D0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] USER32.dll!GetPriorityClipboardFormat 76C44C59 5 Bytes JMP 000D03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ole32.dll!OleSetClipboard 7673F1F6 5 Bytes JMP 000E0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ole32.dll!OleIsCurrentClipboard 76742370 5 Bytes JMP 000E0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[3836] ole32.dll!OleGetClipboard 7676F71D 5 Bytes JMP 000E00B0 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 854DC1F8 Device \FileSystem\fastfat \FatCdrom 885811F8 Device \Driver\usbehci \Device\USBPDO-0 868AF1F8 Device \Driver\usbehci \Device\USBPDO-1 868AF1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{3DAD895B-BF83-4A83-857E-46D10BDC9228} 866EB1F8 Device \Driver\cdrom \Device\CdRom0 865E91F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 854D81F8 Device \Driver\atapi \Device\Ide\IdePort0 854D81F8 Device \Driver\atapi \Device\Ide\IdePort1 854D81F8 Device \Driver\atapi \Device\Ide\IdePort2 854D81F8 Device \Driver\atapi \Device\Ide\IdePort3 854D81F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 854D81F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 854D91F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 854D91F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 854D91F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 854D91F8 Device \Driver\USBSTOR \Device\00000073 87DA5430 Device \Driver\USBSTOR \Device\00000074 87DA5430 Device \Driver\NetBT \Device\NetBt_Wins_Export 866EB1F8 Device \Driver\usbehci \Device\USBFDO-0 868AF1F8 Device \Driver\usbehci \Device\USBFDO-1 868AF1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{AC75BB88-18BD-4D5B-9A01-5F957311C597} 866EB1F8 Device \Driver\JMCR \Device\Scsi\JMCR1 868EB1F8 Device \Driver\JMCR \Device\Scsi\JMCR2 868EB1F8 Device \Driver\JMCR \Device\Scsi\JMCR3 868EB1F8 Device \Driver\JMCR \Device\Scsi\JMCR4 868EB1F8 Device \FileSystem\fastfat \Fat 885811F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x854d81f8]<< 854d81f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863972e8] 863972e8 Trace 3 CLASSPNP.SYS[8b70c59e] -> nt!IofCallDriver -> [0x8629fc10] 8629fc10 Trace 5 ACPI.sys[8afbc3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x862aa908] 862aa908 Trace \Driver\atapi[0x862796c0] -> IRP_MJ_CREATE -> 0x854d81f8 854d81f8 ---- EOF - GMER 2.1 ----