GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-10 14:26:20 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB Running: q1mdefek.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\uwddakob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x9061CF80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x9061D040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x9061D000] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x9061CFC0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E91A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECB212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ED2598 4 Bytes [80, CF, 61, 90] {OR BH, 0x61; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 1314 82ED26A9 3 Bytes [D0, 61, 90] {SHL BYTE [ECX-0x70], 0x1} .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82ED29B4 4 Bytes [00, D0, 61, 90] {ADD AL, DL; POPA ; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82ED29FC 4 Bytes [C0, CF, 61, 90] {ROR BH, 0x61; NOP } .xreloc C:\Windows\system32\drivers\ps7arkab.sys unknown last section [0x8B158000, 0x9F4, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91819000, 0x341A1E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[652] ntdll.dll!LdrGetProcedureAddress + 26 775D22A9 7 Bytes JMP 6DB51FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[652] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 771A941E 7 Bytes JMP 569309D3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[652] kernel32.dll!QueryPerformanceCounter + 13 771AC425 7 Bytes JMP 5693098B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[652] kernel32.dll!LoadAppInitDlls + 355 771AF4E6 7 Bytes JMP 56545CC6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[652] GDI32.dll!GetViewportOrgEx + 26C 7591884B 7 Bytes JMP 569309FA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2536] kernel32.dll!SetUnhandledExceptionFilter 771AF4EB 4 Bytes [C2, 04, 00, 00] .text C:\Users\Administrator\AppData\Local\GG\Application\ggapp.exe[4508] ntdll.dll!LdrGetProcedureAddress + 26 775D22A9 7 Bytes JMP 62145605 C:\Users\Administrator\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Administrator\AppData\Local\GG\Application\ggapp.exe[4508] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 771A941E 7 Bytes JMP 62C3384D C:\Users\Administrator\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Administrator\AppData\Local\GG\Application\ggapp.exe[4508] kernel32.dll!QueryPerformanceCounter + 13 771AC425 7 Bytes JMP 62C33805 C:\Users\Administrator\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Administrator\AppData\Local\GG\Application\ggapp.exe[4508] kernel32.dll!LoadAppInitDlls + 355 771AF4E6 1 Byte [E9] .text C:\Users\Administrator\AppData\Local\GG\Application\ggapp.exe[4508] kernel32.dll!LoadAppInitDlls + 355 771AF4E6 7 Bytes JMP 6215577B C:\Users\Administrator\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Users\Administrator\AppData\Local\GG\Application\ggapp.exe[4508] GDI32.dll!GetViewportOrgEx + 26C 7591884B 7 Bytes JMP 62C33874 C:\Users\Administrator\AppData\Local\GG\Application\xulrunner\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateFile + 6 775B560E 4 Bytes [28, 58, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateFile + B 775B5613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateKey + 6 775B564E 4 Bytes [68, 59, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateKey + B 775B5653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateMutant + 6 775B568E 4 Bytes [68, 5A, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateMutant + B 775B5693 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateSection + 6 775B572E 4 Bytes [A8, 5A, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtCreateSection + B 775B5733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtMapViewOfSection + B 775B5C73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenFile + 6 775B5D1E 4 Bytes [68, 58, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenFile + B 775B5D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenKey + 6 775B5D4E 4 Bytes [A8, 59, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenKey + B 775B5D53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenKeyEx + B 775B5D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenMutant + 6 775B5D9E 4 Bytes [28, 5A, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenMutant + B 775B5DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenProcess + 6 775B5DCE 4 Bytes [68, 5B, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenProcess + B 775B5DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenProcessToken + 6 775B5DDE 4 Bytes [A8, 5B, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenProcessToken + B 775B5DE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenProcessTokenEx + 6 775B5DEE 4 Bytes [68, 5C, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenProcessTokenEx + B 775B5DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenSection + B 775B5E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenThread + 6 775B5E4E 4 Bytes [28, 5B, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenThread + B 775B5E53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenThreadToken + 6 775B5E5E 4 Bytes [28, 5C, 07, 00] {SUB [EDI+EAX+0x0], BL} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenThreadToken + B 775B5E63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenThreadTokenEx + 6 775B5E6E 4 Bytes [A8, 5C, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtOpenThreadTokenEx + B 775B5E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtQueryAttributesFile + 6 775B5F7E 4 Bytes [A8, 58, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtQueryAttributesFile + B 775B5F83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtQueryFullAttributesFile + B 775B6033 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtSetInformationFile + 6 775B667E 4 Bytes [28, 59, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtSetInformationFile + B 775B6683 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtSetInformationThread + B 775B66E3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtUnmapViewOfSection + 6 775B69FE 4 Bytes [28, 5D, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ntdll.dll!NtUnmapViewOfSection + B 775B6A03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] kernel32.dll!CreateProcessW 7716204D 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] kernel32.dll!CreateProcessA 77162082 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!ActivateKeyboardLayout 76E98203 5 Bytes JMP 001704F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!ScreenToClient 76E9A506 7 Bytes JMP 00170670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!RegisterClipboardFormatA 76E9C091 5 Bytes JMP 001702F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!RegisterClipboardFormatW 76E9DF8D 5 Bytes JMP 001702B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!SetCursor 76EA3075 5 Bytes JMP 00170530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!MonitorFromWindow 76EA3622 7 Bytes JMP 00170630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!PostMessageW 76EA447B 5 Bytes JMP 001705F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!IsWindowVisible 76EA4D69 7 Bytes JMP 001706B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClientRect 76EA54DD 7 Bytes JMP 001705B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!MapWindowPoints 76EA5CAA 5 Bytes JMP 00170570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetParent 76EA6029 7 Bytes JMP 001706F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!EmptyClipboard 76EB290C 5 Bytes JMP 00170130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!SetClipboardData 76EB2962 5 Bytes JMP 00170170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClipboardData 76EB2BA7 5 Bytes JMP 00170030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClipboardFormatNameW 76EB5FD2 5 Bytes JMP 00170230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!SetClipboardViewer 76EB6FF6 5 Bytes JMP 001704B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClipboardFormatNameA 76EB700A 5 Bytes JMP 00170270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!ChangeClipboardChain 76EC147C 5 Bytes JMP 00170430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetTopWindow 76EC24D9 7 Bytes JMP 00170730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!CloseClipboard 76EC446C 5 Bytes JMP 001700B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!OpenClipboard 76EC447E 5 Bytes JMP 00170070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!IsClipboardFormatAvailable 76EC44FF 5 Bytes JMP 001700F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClipboardSequenceNumber 76EC4513 5 Bytes JMP 00170330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClipboardOwner 76EC4525 5 Bytes JMP 00170370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!CountClipboardFormats 76EC470A 5 Bytes JMP 001701F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!EnumClipboardFormats 76EC47EC 5 Bytes JMP 001701B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetOpenClipboardWindow 76EC480B 5 Bytes JMP 001703F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!SetCursorPos 76EDC1B0 5 Bytes JMP 00170770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetClipboardViewer 76EF4AF7 5 Bytes JMP 00170470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] user32.DLL!GetPriorityClipboardFormat 76EF4BF9 5 Bytes JMP 001703B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!DeleteObject 75915F14 5 Bytes JMP 001801B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SelectObject 75916640 5 Bytes JMP 001805F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetTextColor 75916906 5 Bytes JMP 00180A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetBkMode 759169B1 5 Bytes JMP 001808F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!DeleteDC 75916EAA 5 Bytes JMP 00180170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetDeviceCaps 75916F7F 5 Bytes JMP 001803B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!ExtSelectClipRgn 75917114 5 Bytes JMP 001802F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SelectClipRgn 75917242 5 Bytes JMP 001805B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetStretchBltMode 75917705 5 Bytes JMP 001806B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetCurrentObject 75917917 5 Bytes JMP 00180370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextMetricsW 75917B8F 5 Bytes JMP 00180E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextAlign 75917DAF 5 Bytes JMP 00180D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!IntersectClipRect 75917DFE 5 Bytes JMP 001803F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!ExtTextOutW 75918192 5 Bytes JMP 00180970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetTextAlign 7591828E 5 Bytes JMP 001809F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetClipBox 75918525 5 Bytes JMP 00180330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!MoveToEx 75918C21 5 Bytes JMP 00180470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!StretchDIBits 7591A53E 5 Bytes JMP 00180770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!RestoreDC 7591A67B 5 Bytes JMP 00180530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SaveDC 7591A74B 5 Bytes JMP 00180570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextExtentPoint32W 7591B4B5 5 Bytes JMP 00180670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextFaceW 7591B73A 2 Bytes JMP 00180D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextFaceW + 3 7591B73D 2 Bytes [86, 8A] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetFontData 7591BCC4 5 Bytes JMP 00180C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetWorldTransform 7591C90A 5 Bytes JMP 001806F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!CreateDCA 7591CCA9 5 Bytes JMP 001800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!CreateDCW 7591CF79 5 Bytes JMP 001800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!CreateICW 7591CFD0 5 Bytes JMP 00180130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextMetricsA 7591D0F2 5 Bytes JMP 00180DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!Rectangle 7591F1FF 5 Bytes JMP 001809B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!LineTo 7591F59B 5 Bytes JMP 00180430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetICMMode 7591FAA4 5 Bytes JMP 00180DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!ExtTextOutA 75920D20 5 Bytes JMP 00180930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextExtentPoint32A 7592117F 5 Bytes JMP 00180630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!ExtEscape 75922D49 5 Bytes JMP 001802B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!Escape 75923400 5 Bytes JMP 00180270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!ResetDCW 75923A9B 5 Bytes JMP 00180AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!EndPage 759240DA 5 Bytes JMP 00180230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetPolyFillMode 759267E1 5 Bytes JMP 00180B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SetMiterLimit 7592699D 5 Bytes JMP 00180B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetTextFaceA 75930D22 5 Bytes JMP 00180CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!GetGlyphOutlineW 7593C2DA 5 Bytes JMP 00180CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!CreateScalableFontResourceW 7593E937 5 Bytes JMP 00180BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!AddFontResourceW 7593ED33 5 Bytes JMP 00180BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!RemoveFontResourceW 7593F229 5 Bytes JMP 00180C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!AbortDoc 75944E29 5 Bytes JMP 00180030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!EndDoc 75945270 5 Bytes JMP 001801F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!StartPage 7594535B 5 Bytes JMP 00180730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!StartDocW 75945D76 5 Bytes JMP 001807F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!BeginPath 7594651D 5 Bytes JMP 00180830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!SelectClipPath 75946574 5 Bytes JMP 00180AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!CloseFigure 759465CF 5 Bytes JMP 00180070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!EndPath 75946626 5 Bytes JMP 00180A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!StrokePath 75946859 5 Bytes JMP 001807B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!FillPath 759468E6 5 Bytes JMP 00180870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!PolylineTo 75946D54 5 Bytes JMP 001804F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!PolyBezierTo 75946DE5 5 Bytes JMP 001804B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] GDI32.dll!PolyDraw 75946E97 5 Bytes JMP 001808B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ole32.dll!OleSetClipboard 773D0045 5 Bytes JMP 001A0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ole32.dll!OleIsCurrentClipboard 773D36B2 5 Bytes JMP 001A0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_44.exe[6048] ole32.dll!OleGetClipboard 773FFDCD 5 Bytes JMP 001A00B0 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6832] USER32.dll!RegisterMessagePumpHook + 2F1 76E98B9E 7 Bytes JMP 56887B3A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6832] USER32.dll!IsDialogMessageW + 340 76EA4444 7 Bytes JMP 56887BAB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6832] USER32.dll!GetWindowInfo 76EA4B5E 5 Bytes JMP 5688B77D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[6832] USER32.dll!ToUnicodeEx + 71 76EB2223 7 Bytes JMP 5688532E C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F724CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F5562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F556EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F72546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F685AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F64D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F65105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F651DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73F66707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F68301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F68850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F690B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F6E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F64C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{31085E3F-85CC-4A35-AD8A-74A7774E27FB}\Connection@Name isatap.{19AF25B1-E4EB-4A54-952B-3F9AFC62DFE4} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{7173E2F8-E094-4898-B4AA-B20279243BE2}?\Device\{31085E3F-85CC-4A35-AD8A-74A7774E27FB}?\Device\{016E92F4-64B3-46EB-9376-D0553F9904DA}?\Device\{7EB1ED71-2A14-4074-949F-3F53C6221D0E}?\Device\{83A79839-CB00-43E2-A931-FC9C11501651}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{7173E2F8-E094-4898-B4AA-B20279243BE2}"?"{31085E3F-85CC-4A35-AD8A-74A7774E27FB}"?"{016E92F4-64B3-46EB-9376-D0553F9904DA}"?"{7EB1ED71-2A14-4074-949F-3F53C6221D0E}"?"{83A79839-CB00-43E2-A931-FC9C11501651}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{7173E2F8-E094-4898-B4AA-B20279243BE2}?\Device\TCPIP6TUNNEL_{31085E3F-85CC-4A35-AD8A-74A7774E27FB}?\Device\TCPIP6TUNNEL_{016E92F4-64B3-46EB-9376-D0553F9904DA}?\Device\TCPIP6TUNNEL_{7EB1ED71-2A14-4074-949F-3F53C6221D0E}?\Device\TCPIP6TUNNEL_{83A79839-CB00-43E2-A931-FC9C11501651}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{31085E3F-85CC-4A35-AD8A-74A7774E27FB}@InterfaceName isatap.{19AF25B1-E4EB-4A54-952B-3F9AFC62DFE4} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{31085E3F-85CC-4A35-AD8A-74A7774E27FB}@ReusableType 0 ---- EOF - GMER 2.1 ----