GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-18 14:31:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: d2clxpy6.exe; Driver: C:\Users\laptop\AppData\Local\Temp\awrdapob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007728fa30 5 bytes JMP 0000000100456390 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007728fd88 5 bytes JMP 0000000100456640 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077290058 5 bytes JMP 00000001004553d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000772ac43a 5 bytes JMP 0000000100455300 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\kernel32.dll!CreateFileW 0000000074e13f2c 5 bytes JMP 0000000100451290 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\kernel32.dll!CreateFileA 0000000074e15396 5 bytes JMP 00000001004511c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\kernel32.dll!MoveFileW 0000000074e29ac0 5 bytes JMP 0000000100452570 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\kernel32.dll!CopyFileA 0000000074e358ad 5 bytes JMP 0000000100451000 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\kernel32.dll!CopyFileW 0000000074e382d5 5 bytes JMP 00000001004510a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\kernel32.dll!MoveFileA 0000000074e8d911 5 bytes JMP 0000000100452510 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000074d16109 5 bytes JMP 0000000100452160 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000074d2b146 5 bytes JMP 00000001004523a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000074d45770 5 bytes JMP 00000001004520a0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileW 0000000076290ff4 5 bytes JMP 00000001004591f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\urlmon.dll!URLDownloadToFileA 00000000762e0724 5 bytes JMP 0000000100459080 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076034889 5 bytes JMP 0000000100451d10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2392] C:\Windows\syswow64\WS2_32.dll!send 0000000076036f01 5 bytes JMP 0000000100457250 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007728fa30 5 bytes JMP 0000000103d06390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007728fd88 5 bytes JMP 0000000103d06640 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077290058 5 bytes JMP 0000000103d053d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000772ac43a 5 bytes JMP 0000000103d05300 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076093f54 5 bytes JMP 00000001739b98bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760a2a3e 5 bytes JMP 0000000173b05e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760a2a62 5 bytes JMP 00000001739115e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000760ccc1a 5 bytes JMP 0000000173b05e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000760ccf72 5 bytes JMP 0000000173b05eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000760dfd61 5 bytes JMP 0000000173b05da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000760dfe2d 5 bytes JMP 0000000173b05d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000760dfe66 5 bytes JMP 0000000173b05ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000760dfe8a 5 bytes JMP 0000000173b05c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076809404 5 bytes JMP 0000000173b060a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000074d16109 5 bytes JMP 0000000103d02160 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000074d2b146 5 bytes JMP 0000000103d023a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000074d45770 5 bytes JMP 0000000103d020a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007455388e 5 bytes JMP 0000000173b05f50 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000745f7922 5 bytes JMP 0000000173b05ff8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000074bb2694 1 byte JMP 0000000173b06298 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW + 2 0000000074bb2696 3 bytes {JMP 0xfffffffffef53c04} .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076034889 5 bytes JMP 0000000103d01d10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2860] C:\Windows\syswow64\WS2_32.dll!send 0000000076036f01 5 bytes JMP 0000000103d07250 ? C:\Windows\system32\mssprxy.dll [2860] entry point in ".rdata" section 00000000736e71e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 000000007728fa30 5 bytes JMP 0000000107ca6390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 000000007728fd88 5 bytes JMP 0000000107ca6640 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077290058 5 bytes JMP 0000000107ca53d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000772a25dd 6 bytes JMP 00000001739d7aa2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000772ac43a 5 bytes JMP 0000000107ca5300 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000772b24e0 6 bytes JMP 00000001739793f5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\kernel32.dll!CreateThread 0000000074e134a5 5 bytes JMP 00000001739771cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076088b9a 5 bytes JMP 00000001739dfe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007608a5e6 5 bytes JMP 0000000173983223 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076093f54 5 bytes JMP 00000001739b98bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000760a06b3 5 bytes JMP 00000001739b204c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 00000000760a2a3e 5 bytes JMP 0000000173b05e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 00000000760a2a62 5 bytes JMP 00000001739115e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000760af006 5 bytes JMP 00000001739d7a3f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000760b0efc 5 bytes JMP 00000001739fe9f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 00000000760ccc1a 5 bytes JMP 0000000173b05e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 00000000760ccf72 5 bytes JMP 0000000173b05eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000760dfd61 5 bytes JMP 0000000173b05da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000760dfe2d 5 bytes JMP 0000000173b05d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000760dfe66 5 bytes JMP 0000000173b05ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000760dfe8a 5 bytes JMP 0000000173b05c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075026143 5 bytes JMP 0000000173b0666e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000767a3e59 5 bytes JMP 0000000173b06766 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000767a3eae 5 bytes JMP 0000000173b067e4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000767a4731 5 bytes JMP 0000000173b066d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000767a5dee 5 bytes JMP 0000000173b06784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076809404 5 bytes JMP 0000000173b060a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\WININET.dll!HttpSendRequestW 0000000074d16109 5 bytes JMP 0000000107ca2160 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\WININET.dll!InternetWriteFile 0000000074d2b146 5 bytes JMP 0000000107ca23a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\WININET.dll!HttpSendRequestA 0000000074d45770 5 bytes JMP 0000000107ca20a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074c21465 2 bytes [C2, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074c214bb 2 bytes [C2, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007455388e 5 bytes JMP 0000000173b05f50 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000745f7922 5 bytes JMP 0000000173b05ff8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000074bb2694 1 byte JMP 0000000173b06298 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW + 2 0000000074bb2696 3 bytes {JMP 0xfffffffffef53c04} .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\WS2_32.dll!GetAddrInfoW 0000000076034889 5 bytes JMP 0000000107ca1d10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2964] C:\Windows\syswow64\WS2_32.dll!send 0000000076036f01 5 bytes JMP 0000000107ca7250 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2600:2884] 000007fefb9c2ab8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2600:2144] 000007fef8325124 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [2860:2216] 0000000003d0e880 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [2860:2212] 0000000003d0e990 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [2860:2204] 0000000003d0e770 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [2860:2196] 0000000003d0fc90 Thread C:\Program Files (x86)\Internet Explorer\iexplore.exe [2860:2488] 0000000003d0dd20 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556ee1fc5 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556ee1fc5 (not active ControlSet) ---- EOF - GMER 2.1 ----