GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-05 14:23:17 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: 8rlo8g72.exe; Driver: C:\Users\tokaj\AppData\Local\Temp\kwddykog.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 1278 8308F854 5 Bytes JMP 860A8810 .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8308F9E9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830C91C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94202000, 0x2D5378, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] ntdll.dll!LdrGetProcedureAddress + 26 77B72239 7 Bytes JMP 69BAEEB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!CopyFileW 76206B3F 5 Bytes JMP 6DE9DF60 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!CopyFileExW 7620B280 7 Bytes JMP 6DE9E490 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!MoveFileWithProgressW 76218DD4 5 Bytes JMP 67744850 C:\Program Files\360\360 Internet Security\safemon\iNetSafe.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 7621941E 7 Bytes JMP 6A1B9778 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!QueryPerformanceCounter + 13 7621C435 7 Bytes JMP 6A1B979B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!LoadAppInitDlls + 355 7621F4F6 7 Bytes JMP 69BB4CE9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!MoveFileWithProgressA 76233F98 5 Bytes JMP 677446E0 C:\Program Files\360\360 Internet Security\safemon\iNetSafe.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!CopyFileA 76236D5A 5 Bytes JMP 6DE9DE60 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!MoveFileW 76236ED6 5 Bytes JMP 6DE9E1F0 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!MoveFileA 7625BF59 5 Bytes JMP 6DE9E0F0 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] kernel32.dll!CopyFileExA 7625CDB1 5 Bytes JMP 6DE9E380 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] GDI32.dll!GetViewportOrgEx + 26C 7658884B 7 Bytes JMP 6A1B96F9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] WS2_32.dll!WSASend 77964406 5 Bytes JMP 6DEA28B0 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] WS2_32.dll!send 77966F01 5 Bytes JMP 6DEA26B0 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] ole32.dll!CoGetClassObject 767254AD 5 Bytes JMP 6DE9B6E0 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1192] ole32.dll!CoCreateInstance 76739D0B 5 Bytes JMP 6DE9B500 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateFile + 6 77B555CE 4 Bytes [28, B0, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateFile + B 77B555D3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateKey + 6 77B5560E 4 Bytes [68, B1, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateKey + B 77B55613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateMutant + 6 77B5564E 4 Bytes [68, B2, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateMutant + B 77B55653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateSection + 6 77B556EE 4 Bytes [A8, B2, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtCreateSection + B 77B556F3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtMapViewOfSection + B 77B55C33 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenFile + 6 77B55CDE 4 Bytes [68, B0, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenFile + B 77B55CE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenKey + 6 77B55D0E 4 Bytes [A8, B1, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenKey + B 77B55D13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenKeyEx + B 77B55D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenMutant + 6 77B55D5E 4 Bytes [28, B2, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenMutant + B 77B55D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenProcess + 6 77B55D8E 4 Bytes [68, B3, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenProcess + B 77B55D93 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenProcessToken + 6 77B55D9E 4 Bytes [A8, B3, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenProcessToken + B 77B55DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenProcessTokenEx + 6 77B55DAE 4 Bytes [68, B4, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenProcessTokenEx + B 77B55DB3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenSection + B 77B55DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenThread + 6 77B55E0E 4 Bytes [28, B3, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenThread + B 77B55E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenThreadToken + 6 77B55E1E 4 Bytes [28, B4, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenThreadToken + B 77B55E23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenThreadTokenEx + 6 77B55E2E 4 Bytes [A8, B4, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtOpenThreadTokenEx + B 77B55E33 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtQueryAttributesFile + 6 77B55F3E 4 Bytes [A8, B0, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtQueryAttributesFile + B 77B55F43 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtQueryFullAttributesFile + B 77B55FF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtSetInformationFile + 6 77B5663E 4 Bytes [28, B1, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtSetInformationFile + B 77B56643 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtSetInformationThread + B 77B566A3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtUnmapViewOfSection + 6 77B569BE 4 Bytes [28, B5, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ntdll.dll!NtUnmapViewOfSection + B 77B569C3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] kernel32.dll!CreateProcessW 761D204D 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] kernel32.dll!CreateProcessA 761D2082 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!DeleteObject 76585F14 5 Bytes JMP 000C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SelectObject 76586640 5 Bytes JMP 000C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetTextColor 76586906 5 Bytes JMP 000C0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetBkMode 765869B1 5 Bytes JMP 000C08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!DeleteDC 76586EAA 5 Bytes JMP 000C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetDeviceCaps 76586F7F 5 Bytes JMP 000C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!ExtSelectClipRgn 76587114 5 Bytes JMP 000C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SelectClipRgn 76587242 5 Bytes JMP 000C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetStretchBltMode 76587705 5 Bytes JMP 000C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetCurrentObject 76587917 5 Bytes JMP 000C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextMetricsW 76587B8F 5 Bytes JMP 000C0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextAlign 76587DAF 5 Bytes JMP 000C0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!IntersectClipRect 76587DFE 5 Bytes JMP 000C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!ExtTextOutW 76588192 5 Bytes JMP 000C0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetTextAlign 7658828E 5 Bytes JMP 000C09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetClipBox 76588525 5 Bytes JMP 000C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!MoveToEx 76588C21 5 Bytes JMP 000C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!StretchDIBits 7658A53E 5 Bytes JMP 000C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!RestoreDC 7658A67B 5 Bytes JMP 000C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SaveDC 7658A74B 5 Bytes JMP 000C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextExtentPoint32W 7658B4B5 5 Bytes JMP 000C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextFaceW 7658B73A 2 Bytes JMP 000C0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextFaceW + 3 7658B73D 2 Bytes [B3, 89] {MOV BL, 0x89} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetFontData 7658BCC4 5 Bytes JMP 000C0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetWorldTransform 7658C90A 5 Bytes JMP 000C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!CreateDCA 7658CCA9 5 Bytes JMP 000C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!CreateDCW 7658CF79 5 Bytes JMP 000C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!CreateICW 7658CFD0 5 Bytes JMP 000C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextMetricsA 7658D0F2 5 Bytes JMP 000C0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!Rectangle 7658F1FF 5 Bytes JMP 000C09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!LineTo 7658F59B 5 Bytes JMP 000C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetICMMode 7658FAA4 5 Bytes JMP 000C0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!ExtTextOutA 765903F9 5 Bytes JMP 000C0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextExtentPoint32A 765907B0 5 Bytes JMP 000C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!ExtEscape 76592949 5 Bytes JMP 000C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!Escape 76593939 5 Bytes JMP 000C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetTextFaceA 76593E6A 5 Bytes JMP 000C0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetPolyFillMode 7659D851 5 Bytes JMP 000C0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SetMiterLimit 7659DA0D 5 Bytes JMP 000C0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!EndPage 765A00D7 5 Bytes JMP 000C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!ResetDCW 765A050D 5 Bytes JMP 000C0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!GetGlyphOutlineW 765AC1BA 5 Bytes JMP 000C0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!CreateScalableFontResourceW 765AE817 5 Bytes JMP 000C0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!AddFontResourceW 765AEC13 5 Bytes JMP 000C0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!RemoveFontResourceW 765AF109 5 Bytes JMP 000C0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!AbortDoc 765B4C63 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!EndDoc 765B50AA 5 Bytes JMP 000C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!StartPage 765B5195 5 Bytes JMP 000C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!StartDocW 765B5BB0 5 Bytes JMP 000C07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!BeginPath 765B635D 5 Bytes JMP 000C0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!SelectClipPath 765B63B4 5 Bytes JMP 000C0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!CloseFigure 765B640F 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!EndPath 765B6466 5 Bytes JMP 000C0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!StrokePath 765B6699 5 Bytes JMP 000C07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!FillPath 765B6726 5 Bytes JMP 000C0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!PolylineTo 765B6B94 5 Bytes JMP 000C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!PolyBezierTo 765B6C25 5 Bytes JMP 000C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] GDI32.dll!PolyDraw 765B6CD7 5 Bytes JMP 000C08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!ActivateKeyboardLayout 779A8203 5 Bytes JMP 000D04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!ScreenToClient 779AA506 7 Bytes JMP 000D0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!RegisterClipboardFormatA 779AC091 5 Bytes JMP 000D02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!RegisterClipboardFormatW 779ADF8D 5 Bytes JMP 000D02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!SetCursor 779B3075 5 Bytes JMP 000D0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!MonitorFromWindow 779B3622 7 Bytes JMP 000D0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!PostMessageW 779B447B 5 Bytes JMP 000D05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!IsWindowVisible 779B4D69 7 Bytes JMP 000D06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClientRect 779B54DD 7 Bytes JMP 000D05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!MapWindowPoints 779B5CAA 5 Bytes JMP 000D0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetParent 779B6029 7 Bytes JMP 000D06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!EmptyClipboard 779C290C 5 Bytes JMP 000D0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!SetClipboardData 779C2962 5 Bytes JMP 000D0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClipboardData 779C2BA7 5 Bytes JMP 000D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClipboardFormatNameW 779C5FD2 5 Bytes JMP 000D0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!SetClipboardViewer 779C6FF6 5 Bytes JMP 000D04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClipboardFormatNameA 779C700A 5 Bytes JMP 000D0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!ChangeClipboardChain 779D147C 5 Bytes JMP 000D0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetTopWindow 779D24D9 7 Bytes JMP 000D0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!CloseClipboard 779D446C 5 Bytes JMP 000D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!OpenClipboard 779D447E 5 Bytes JMP 000D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!IsClipboardFormatAvailable 779D44FF 5 Bytes JMP 000D00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClipboardSequenceNumber 779D4513 5 Bytes JMP 000D0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClipboardOwner 779D4525 5 Bytes JMP 000D0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!CountClipboardFormats 779D470A 5 Bytes JMP 000D01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!EnumClipboardFormats 779D47EC 5 Bytes JMP 000D01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetOpenClipboardWindow 779D480B 5 Bytes JMP 000D03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!SetCursorPos 779EC1B0 5 Bytes JMP 000D0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetClipboardViewer 77A04AF7 5 Bytes JMP 000D0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] USER32.dll!GetPriorityClipboardFormat 77A04BF9 5 Bytes JMP 000D03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ole32.dll!OleSetClipboard 76750045 5 Bytes JMP 000E0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ole32.dll!OleIsCurrentClipboard 767536B2 5 Bytes JMP 000E0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe[1384] ole32.dll!OleGetClipboard 7677FDCD 5 Bytes JMP 000E00B0 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2588] USER32.dll!RegisterMessagePumpHook + 2F1 779A8B9E 7 Bytes JMP 6A28D8D4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2588] USER32.dll!IsDialogMessageW + 340 779B4444 7 Bytes JMP 6A28D863 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2588] USER32.dll!GetWindowInfo 779B4B5E 5 Bytes JMP 6A0E2A67 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2588] USER32.dll!ToUnicodeEx + 71 779C2223 7 Bytes JMP 6A0E306A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\Explorer.EXE[3332] kernel32.dll!CreateProcessInternalW 762207A2 5 Bytes JMP 6DE9BD00 C:\Program Files\360\360 Internet Security\safemon\safemon.dll .text C:\Program Files\360\360 Internet Security\safemon\360tray.exe[4044] kernel32.dll!SetUnhandledExceptionFilter 7621F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72E224CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72E0562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72E056EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72E22546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72E185AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72E14D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72E15105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72E151DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [72E16707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72E18301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72E18850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72E190B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72E1E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[3332] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72E14C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs qutmdrv.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002421d22a3c Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002421d22a3c@0025e59aea27 0xD9 0xB8 0x25 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002421d22a3c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002421d22a3c@0025e59aea27 0xD9 0xB8 0x25 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Upgrade\LocalRadioSettings (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\Vbox\Licenses\CorelDRAW\xae Graphics Suite_11_D639.lic 3 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\Vbox\Licenses\CorelDRAW\xae Graphics Suite_11_D639.prf 3 ---- EOF - GMER 2.1 ----