GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-05 18:40:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.JE3Z 465,76GB Running: c0pm15xd.exe; Driver: C:\Users\Gosia\AppData\Local\Temp\fwddqkob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!EnableWindow 0000000075ed2da4 5 bytes JMP 00000001685798bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000075eecbf3 5 bytes JMP 00000001686c5e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000075eecfca 5 bytes JMP 00000001684d15e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!DialogBoxParamA 0000000075f0cb0c 5 bytes JMP 00000001686c5e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000075f0ce64 5 bytes JMP 00000001686c5eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075f1fbd1 5 bytes JMP 00000001686c5da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075f1fc9d 5 bytes JMP 00000001686c5d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!MessageBoxExA 0000000075f1fcd6 5 bytes JMP 00000001686c5ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\USER32.dll!MessageBoxExW 0000000075f1fcfa 5 bytes JMP 00000001686c5c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6640] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075979404 5 bytes JMP 00000001686c60a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000077db25dd 6 bytes JMP 0000000168597aa2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077dc24e0 6 bytes JMP 00000001685393f5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\kernel32.dll!CreateThread 00000000773c34d5 5 bytes JMP 00000001685371cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000075ec8a29 5 bytes JMP 000000016859fe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!CreateWindowExA 0000000075ecd22e 5 bytes JMP 0000000168543223 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!EnableWindow 0000000075ed2da4 5 bytes JMP 00000001685798bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075ed6285 5 bytes JMP 0000000168597a3f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ed7603 5 bytes JMP 000000016857204c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000075eecbf3 5 bytes JMP 00000001686c5e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000075eecfca 5 bytes JMP 00000001684d15e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075eef52b 5 bytes JMP 00000001685be9f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!DialogBoxParamA 0000000075f0cb0c 5 bytes JMP 00000001686c5e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000075f0ce64 5 bytes JMP 00000001686c5eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075f1fbd1 5 bytes JMP 00000001686c5da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075f1fc9d 5 bytes JMP 00000001686c5d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!MessageBoxExA 0000000075f1fcd6 5 bytes JMP 00000001686c5ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\USER32.dll!MessageBoxExW 0000000075f1fcfa 5 bytes JMP 00000001686c5c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000077256143 5 bytes JMP 00000001686c666e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\WININET.dll!InternetCloseHandle 00000000763eb7c4 5 bytes JMP 0000000166f5d430 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\WININET.dll!InternetReadFile 00000000763eea3a 5 bytes JMP 0000000166f5d3d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\WININET.dll!InternetQueryDataAvailable 00000000763f22e4 5 bytes JMP 0000000166f5d480 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\WININET.dll!InternetConnectA 0000000076415456 5 bytes JMP 0000000166f5ce60 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\WININET.dll!HttpOpenRequestA 0000000076415539 5 bytes JMP 0000000166f5d170 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076512694 1 byte JMP 00000001686c6298 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6112] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW + 2 0000000076512696 3 bytes {JMP 0xfffffffff21b3c04} .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000077db25dd 6 bytes JMP 0000000168597aa2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077dc24e0 6 bytes JMP 00000001685393f5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\kernel32.dll!CreateThread 00000000773c34d5 5 bytes JMP 00000001685371cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000075ec8a29 5 bytes JMP 000000016859fe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!CreateWindowExA 0000000075ecd22e 5 bytes JMP 0000000168543223 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!EnableWindow 0000000075ed2da4 5 bytes JMP 00000001685798bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075ed6285 5 bytes JMP 0000000168597a3f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ed7603 5 bytes JMP 000000016857204c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000075eecbf3 5 bytes JMP 00000001686c5e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000075eecfca 5 bytes JMP 00000001684d15e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075eef52b 5 bytes JMP 00000001685be9f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!DialogBoxParamA 0000000075f0cb0c 5 bytes JMP 00000001686c5e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000075f0ce64 5 bytes JMP 00000001686c5eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075f1fbd1 5 bytes JMP 00000001686c5da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075f1fc9d 5 bytes JMP 00000001686c5d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!MessageBoxExA 0000000075f1fcd6 5 bytes JMP 00000001686c5ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\USER32.dll!MessageBoxExW 0000000075f1fcfa 5 bytes JMP 00000001686c5c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000077256143 5 bytes JMP 00000001686c666e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075913e59 5 bytes JMP 00000001686c6766 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\OLEAUT32.dll!VariantClear 0000000075913eae 5 bytes JMP 00000001686c67e4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075914731 5 bytes JMP 00000001686c66d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075915dee 5 bytes JMP 00000001686c6784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075979404 5 bytes JMP 00000001686c60a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\WININET.dll!InternetCloseHandle 00000000763eb7c4 5 bytes JMP 0000000166f5d430 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\WININET.dll!InternetReadFile 00000000763eea3a 5 bytes JMP 0000000166f5d3d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\WININET.dll!InternetQueryDataAvailable 00000000763f22e4 5 bytes JMP 0000000166f5d480 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\WININET.dll!InternetConnectA 0000000076415456 5 bytes JMP 0000000166f5ce60 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\syswow64\WININET.dll!HttpOpenRequestA 0000000076415539 5 bytes JMP 0000000166f5d170 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000073ae388e 5 bytes JMP 00000001686c5f50 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1348] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073b87922 5 bytes JMP 00000001686c5ff8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[4588] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763d1465 2 bytes [3D, 76] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[4588] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763d14bb 2 bytes [3D, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000077db25dd 6 bytes JMP 0000000168597aa2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077dc24e0 6 bytes JMP 00000001685393f5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\kernel32.dll!CreateThread 00000000773c34d5 5 bytes JMP 00000001685371cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000075ec8a29 5 bytes JMP 000000016859fe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!CreateWindowExA 0000000075ecd22e 5 bytes JMP 0000000168543223 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!EnableWindow 0000000075ed2da4 5 bytes JMP 00000001685798bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075ed6285 5 bytes JMP 0000000168597a3f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ed7603 5 bytes JMP 000000016857204c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000075eecbf3 5 bytes JMP 00000001686c5e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000075eecfca 5 bytes JMP 00000001684d15e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075eef52b 5 bytes JMP 00000001685be9f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!DialogBoxParamA 0000000075f0cb0c 5 bytes JMP 00000001686c5e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000075f0ce64 5 bytes JMP 00000001686c5eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075f1fbd1 5 bytes JMP 00000001686c5da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075f1fc9d 5 bytes JMP 00000001686c5d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!MessageBoxExA 0000000075f1fcd6 5 bytes JMP 00000001686c5ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\USER32.dll!MessageBoxExW 0000000075f1fcfa 5 bytes JMP 00000001686c5c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000077256143 5 bytes JMP 00000001686c666e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075913e59 5 bytes JMP 00000001686c6766 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\OLEAUT32.dll!VariantClear 0000000075913eae 5 bytes JMP 00000001686c67e4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075914731 5 bytes JMP 00000001686c66d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075915dee 5 bytes JMP 00000001686c6784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075979404 5 bytes JMP 00000001686c60a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\WININET.dll!InternetCloseHandle 00000000763eb7c4 5 bytes JMP 0000000166f5d430 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\WININET.dll!InternetReadFile 00000000763eea3a 5 bytes JMP 0000000166f5d3d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\WININET.dll!InternetQueryDataAvailable 00000000763f22e4 5 bytes JMP 0000000166f5d480 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\WININET.dll!InternetConnectA 0000000076415456 5 bytes JMP 0000000166f5ce60 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\syswow64\WININET.dll!HttpOpenRequestA 0000000076415539 5 bytes JMP 0000000166f5d170 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000073ae388e 5 bytes JMP 00000001686c5f50 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[6576] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073b87922 5 bytes JMP 00000001686c5ff8 ? C:\windows\system32\mssprxy.dll [9844] entry point in ".rdata" section 000000006e3c71e6 .text C:\Users\Gosia\Downloads\OTL.exe[9844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763d1465 2 bytes [3D, 76] .text C:\Users\Gosia\Downloads\OTL.exe[9844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763d14bb 2 bytes [3D, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000077db25dd 6 bytes JMP 0000000168597aa2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000077dc24e0 6 bytes JMP 00000001685393f5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\kernel32.dll!CreateThread 00000000773c34d5 5 bytes JMP 00000001685371cb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!CreateWindowExW 0000000075ec8a29 5 bytes JMP 000000016859fe1f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!CreateWindowExA 0000000075ecd22e 5 bytes JMP 0000000168543223 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!EnableWindow 0000000075ed2da4 5 bytes JMP 00000001685798bc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!CallNextHookEx 0000000075ed6285 5 bytes JMP 0000000168597a3f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ed7603 5 bytes JMP 000000016857204c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000075eecbf3 5 bytes JMP 00000001686c5e86 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000075eecfca 5 bytes JMP 00000001684d15e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075eef52b 5 bytes JMP 00000001685be9f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!DialogBoxParamA 0000000075f0cb0c 5 bytes JMP 00000001686c5e21 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000075f0ce64 5 bytes JMP 00000001686c5eeb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000075f1fbd1 5 bytes JMP 00000001686c5da8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000075f1fc9d 5 bytes JMP 00000001686c5d2f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!MessageBoxExA 0000000075f1fcd6 5 bytes JMP 00000001686c5ccb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\USER32.dll!MessageBoxExW 0000000075f1fcfa 5 bytes JMP 00000001686c5c67 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\ole32.dll!OleLoadFromStream 0000000077256143 5 bytes JMP 00000001686c666e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075913e59 5 bytes JMP 00000001686c6766 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\OLEAUT32.dll!VariantClear 0000000075913eae 5 bytes JMP 00000001686c67e4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075914731 5 bytes JMP 00000001686c66d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075915dee 5 bytes JMP 00000001686c6784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075979404 5 bytes JMP 00000001686c60a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\WININET.dll!InternetCloseHandle 00000000763eb7c4 5 bytes JMP 0000000166f5d430 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\WININET.dll!InternetReadFile 00000000763eea3a 5 bytes JMP 0000000166f5d3d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\WININET.dll!InternetQueryDataAvailable 00000000763f22e4 5 bytes JMP 0000000166f5d480 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\WININET.dll!InternetConnectA 0000000076415456 5 bytes JMP 0000000166f5ce60 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\WININET.dll!HttpOpenRequestA 0000000076415539 5 bytes JMP 0000000166f5d170 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000763d1465 2 bytes [3D, 76] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000763d14bb 2 bytes [3D, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000073ae388e 5 bytes JMP 00000001686c5f50 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073b87922 5 bytes JMP 00000001686c5ff8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076512694 1 byte JMP 00000001686c6298 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[264] C:\windows\syswow64\comdlg32.dll!PageSetupDlgW + 2 0000000076512696 3 bytes {JMP 0xfffffffff21b3c04} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\mfevtps.exe[1844] @ C:\windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f40b9f0] C:\windows\system32\mfevtps.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???n?????B??? ??????????????????????????????????? ???????,?????????????,?????????????????????????????????5??????s ??? ?????????????????????,????????N????????????????????????e??????????????????????????????????????Sftplay?????????????????????????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ???'????-??HJ???,??????]????????Z???Z???????2?????]????]????2???Z????????]??????????2???,???????2?????????????????? ????0???0?????????? ??????????? ????????????0????? ???????:????????????????????????\??????????????s??????????????4?????.??????????????e?? ???????sx??? ?????????????????????4????????Z????????t????Z??????9????h?????%SystemRoot%\system32\svchost.exe -k netsvcs?N??? F?????????????????PNP_TDI?????????{8ECC055D-047F-11D1-A537-0000F8753ED1}??????? ??????????????????Sftredir????????????????????? ?????????????????????,????????p?`?????????????????p????????????.??76??????????????ta???????????f??????AP?????????4??????Z???????????h?????C:\windows\TEMP\004 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076fc1a13 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\60d819f29c91 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076fc1a13 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\60d819f29c91 (not active ControlSet) ---- EOF - GMER 2.1 ----