GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-29 20:52:27 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC38 465,76GB Running: kbn7f194.exe; Driver: C:\Users\Mikus\AppData\Local\Temp\pwldikod.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83844A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8387E212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x92A2C000, 0x2D1F8A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1676] kernel32.dll!SetUnhandledExceptionFilter 7630F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtCreateFile 77CC5608 5 Bytes JMP 67C39870 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtFlushBuffersFile 77CC5998 5 Bytes JMP 6792D335 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtQueryFullAttributesFile 77CC6028 5 Bytes JMP 6792D5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtReadFile 77CC62F8 5 Bytes JMP 6792D390 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtReadFileScatter 77CC6308 5 Bytes JMP 68598330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtWriteFile 77CC6AA8 5 Bytes JMP 67C3A7F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!NtWriteFileGather 77CC6AB8 5 Bytes JMP 685982DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] ntdll.dll!LdrLoadDll 77CE22AE 5 Bytes JMP 6AB11F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 763094E6 7 Bytes JMP 684D9960 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] kernel32.dll!QueryPerformanceCounter + 13 7630C4E5 7 Bytes JMP 684D9983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] kernel32.dll!LoadAppInitDlls + 355 7630F5A6 7 Bytes JMP 67C36164 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] USER32.dll!GetWindowInfo 77744B5E 5 Bytes JMP 683DB65E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3000] GDI32.dll!GetViewportOrgEx + 26C 7751884B 7 Bytes JMP 684D98E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3664] USER32.dll!GetWindowInfo 77744B5E 5 Bytes JMP 67EE2007 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3664] USER32.dll!ToUnicodeEx + 71 77752223 7 Bytes JMP 67EDB804 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateFile + 6 77CC560E 4 Bytes [28, 30, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateFile + B 77CC5613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateKey + 6 77CC564E 4 Bytes [68, 31, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateKey + B 77CC5653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateMutant + 6 77CC568E 4 Bytes [68, 32, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateMutant + B 77CC5693 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateSection + 6 77CC572E 4 Bytes [A8, 32, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtCreateSection + B 77CC5733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtMapViewOfSection + B 77CC5C73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenFile + 6 77CC5D1E 4 Bytes [68, 30, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenFile + B 77CC5D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenKey + 6 77CC5D4E 4 Bytes [A8, 31, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenKey + B 77CC5D53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenKeyEx + B 77CC5D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenMutant + 6 77CC5D9E 4 Bytes [28, 32, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenMutant + B 77CC5DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenProcess + 6 77CC5DCE 4 Bytes [68, 33, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenProcess + B 77CC5DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenProcessToken + 6 77CC5DDE 4 Bytes [A8, 33, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenProcessToken + B 77CC5DE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenProcessTokenEx + 6 77CC5DEE 4 Bytes [68, 34, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenProcessTokenEx + B 77CC5DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenSection + B 77CC5E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenThread + 6 77CC5E4E 4 Bytes [28, 33, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenThread + B 77CC5E53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenThreadToken + 6 77CC5E5E 4 Bytes [28, 34, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenThreadToken + B 77CC5E63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenThreadTokenEx + 6 77CC5E6E 4 Bytes [A8, 34, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtOpenThreadTokenEx + B 77CC5E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtQueryAttributesFile + 6 77CC5F7E 4 Bytes [A8, 30, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtQueryAttributesFile + B 77CC5F83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtQueryFullAttributesFile + B 77CC6033 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtSetInformationFile + 6 77CC667E 4 Bytes [28, 31, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtSetInformationFile + B 77CC6683 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtSetInformationThread + B 77CC66E3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtUnmapViewOfSection + 6 77CC69FE 4 Bytes [28, 35, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ntdll.dll!NtUnmapViewOfSection + B 77CC6A03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] kernel32.dll!CreateProcessW 762C204D 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] kernel32.dll!CreateProcessA 762C2082 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!DeleteObject 77515F14 5 Bytes JMP 002701B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SelectObject 77516640 5 Bytes JMP 002705F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetTextColor 77516906 5 Bytes JMP 00270A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetBkMode 775169B1 5 Bytes JMP 002708F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!DeleteDC 77516EAA 5 Bytes JMP 00270170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetDeviceCaps 77516F7F 5 Bytes JMP 002703B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!ExtSelectClipRgn 77517114 5 Bytes JMP 002702F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SelectClipRgn 77517242 5 Bytes JMP 002705B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetStretchBltMode 77517705 5 Bytes JMP 002706B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetCurrentObject 77517917 5 Bytes JMP 00270370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextMetricsW 77517B8F 5 Bytes JMP 00270E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextAlign 77517DAF 5 Bytes JMP 00270D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!IntersectClipRect 77517DFE 5 Bytes JMP 002703F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!ExtTextOutW 77518192 5 Bytes JMP 00270970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetTextAlign 7751828E 5 Bytes JMP 002709F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetClipBox 77518525 5 Bytes JMP 00270330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!MoveToEx 77518C21 5 Bytes JMP 00270470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!StretchDIBits 7751A53E 5 Bytes JMP 00270770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!RestoreDC 7751A67B 5 Bytes JMP 00270530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SaveDC 7751A74B 5 Bytes JMP 00270570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextExtentPoint32W 7751B4B5 5 Bytes JMP 00270670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextFaceW 7751B73A 2 Bytes JMP 00270D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextFaceW + 3 7751B73D 2 Bytes [D5, 88] {AAD 0x88} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetFontData 7751BCC4 5 Bytes JMP 00270C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetWorldTransform 7751C90A 5 Bytes JMP 002706F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!CreateDCA 7751CCA9 5 Bytes JMP 002700B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!CreateDCW 7751CF79 5 Bytes JMP 002700F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!CreateICW 7751CFD0 5 Bytes JMP 00270130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextMetricsA 7751D0F2 5 Bytes JMP 00270DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!Rectangle 7751F1FF 5 Bytes JMP 002709B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!LineTo 7751F59B 5 Bytes JMP 00270430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetICMMode 7751FAA4 5 Bytes JMP 00270DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!ExtTextOutA 77520D20 5 Bytes JMP 00270930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextExtentPoint32A 7752117F 5 Bytes JMP 00270630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!ExtEscape 77522D49 5 Bytes JMP 002702B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!Escape 77523400 5 Bytes JMP 00270270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!ResetDCW 77523A9B 5 Bytes JMP 00270AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!EndPage 775240DA 5 Bytes JMP 00270230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetPolyFillMode 775267E1 5 Bytes JMP 00270B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SetMiterLimit 7752699D 5 Bytes JMP 00270B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetTextFaceA 77530D22 5 Bytes JMP 00270CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!GetGlyphOutlineW 7753C2DA 5 Bytes JMP 00270CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!CreateScalableFontResourceW 7753E937 5 Bytes JMP 00270BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!AddFontResourceW 7753ED33 5 Bytes JMP 00270BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!RemoveFontResourceW 7753F229 5 Bytes JMP 00270C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!AbortDoc 77544E29 5 Bytes JMP 00270030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!EndDoc 77545270 5 Bytes JMP 002701F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!StartPage 7754535B 5 Bytes JMP 00270730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!StartDocW 77545D76 5 Bytes JMP 002707F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!BeginPath 7754651D 5 Bytes JMP 00270830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!SelectClipPath 77546574 5 Bytes JMP 00270AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!CloseFigure 775465CF 5 Bytes JMP 00270070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!EndPath 77546626 5 Bytes JMP 00270A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!StrokePath 77546859 5 Bytes JMP 002707B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!FillPath 775468E6 5 Bytes JMP 00270870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!PolylineTo 77546D54 5 Bytes JMP 002704F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!PolyBezierTo 77546DE5 5 Bytes JMP 002704B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] GDI32.dll!PolyDraw 77546E97 5 Bytes JMP 002708B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!ActivateKeyboardLayout 77738203 5 Bytes JMP 002804F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!ScreenToClient 7773A506 7 Bytes JMP 00280670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!RegisterClipboardFormatA 7773C091 5 Bytes JMP 002802F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!RegisterClipboardFormatW 7773DF8D 5 Bytes JMP 002802B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!SetCursor 77743075 5 Bytes JMP 00280530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!MonitorFromWindow 77743622 7 Bytes JMP 00280630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!PostMessageW 7774447B 5 Bytes JMP 002805F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!IsWindowVisible 77744D69 7 Bytes JMP 002806B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClientRect 777454DD 7 Bytes JMP 002805B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!MapWindowPoints 77745CAA 5 Bytes JMP 00280570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetParent 77746029 7 Bytes JMP 002806F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!EmptyClipboard 7775290C 5 Bytes JMP 00280130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!SetClipboardData 77752962 5 Bytes JMP 00280170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClipboardData 77752BA7 5 Bytes JMP 00280030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClipboardFormatNameW 77755FD2 5 Bytes JMP 00280230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!SetClipboardViewer 77756FF6 5 Bytes JMP 002804B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClipboardFormatNameA 7775700A 5 Bytes JMP 00280270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!ChangeClipboardChain 7776147C 5 Bytes JMP 00280430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetTopWindow 777624D9 7 Bytes JMP 00280730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!CloseClipboard 7776446C 5 Bytes JMP 002800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!OpenClipboard 7776447E 5 Bytes JMP 00280070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!IsClipboardFormatAvailable 777644FF 5 Bytes JMP 002800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClipboardSequenceNumber 77764513 5 Bytes JMP 00280330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClipboardOwner 77764525 5 Bytes JMP 00280370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!CountClipboardFormats 7776470A 5 Bytes JMP 002801F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!EnumClipboardFormats 777647EC 5 Bytes JMP 002801B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetOpenClipboardWindow 7776480B 5 Bytes JMP 002803F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!SetCursorPos 7777C1B0 5 Bytes JMP 00280770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetClipboardViewer 77794AF7 5 Bytes JMP 00280470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] USER32.dll!GetPriorityClipboardFormat 77794BF9 5 Bytes JMP 002803B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ole32.dll!OleSetClipboard 764E0045 5 Bytes JMP 00290030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ole32.dll!OleIsCurrentClipboard 764E36B2 5 Bytes JMP 00290070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe[3720] ole32.dll!OleGetClipboard 7650FDCD 5 Bytes JMP 002900B0 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749A24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7498562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [749856EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749A2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749985AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74994D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74995105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749951DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74996707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74998301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74998850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749990B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7499E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1932] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74994C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x56 0x33 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x56 0x33 0xFE ... ---- EOF - GMER 2.1 ----