GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-12 18:36:47 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO 232,89GB Running: tdipjuoj.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\pxldqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x8EFAB990] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x8EF5C1CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x8EF5C400] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x8EF5BFC8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x8EFAE55C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x8EFAD98C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x8EFADBD8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x8EFAD51E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x8EF4C640] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x8EFABAD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x8EFAB5FE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x8EFAE312] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x8EFAD052] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x8EFAE78C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x8EFAD67E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x8EFAE1C6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x8EF5C2D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x8EFADEE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x8EF5C0C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x8EFAE048] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x8EF4CA5A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x8EFAB936] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x8EFAD25A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x8EFADD82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x8EF4CA6C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x8EFAD3C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x8EFAD882] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x8EFAE894] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x8EFAE61E] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8307DA35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B7392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 830BE5BC 4 Bytes [90, B9, FA, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1100 830BE5E5 3 Bytes [C1, F5, 8E] {SAL EBP, 0x8e} .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 830BE628 4 Bytes [00, C4, F5, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 830BE678 4 Bytes [C8, BF, F5, 8E] {ENTER 0xf5bf, 0x8e} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 830BE6DC 4 Bytes [5C, E5, FA, 8E] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateFile + 6 76F4560E 4 Bytes [28, 10, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateFile + B 76F45613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateKey + 6 76F4564E 4 Bytes [68, 11, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateKey + B 76F45653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateMutant + 6 76F4568E 4 Bytes [68, 12, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateMutant + B 76F45693 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateSection + 6 76F4572E 4 Bytes [A8, 12, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtCreateSection + B 76F45733 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtMapViewOfSection + 6 76F45C6E 4 Bytes CALL 75F46387 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtMapViewOfSection + B 76F45C73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenFile + 6 76F45D1E 4 Bytes [68, 10, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenFile + B 76F45D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenKey + 6 76F45D4E 4 Bytes [A8, 11, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenKey + B 76F45D53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenKeyEx + 6 76F45D5E 4 Bytes CALL 75F46474 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenKeyEx + B 76F45D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenMutant + 6 76F45D9E 4 Bytes [28, 12, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenMutant + B 76F45DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenProcess + 6 76F45DCE 4 Bytes [68, 13, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenProcess + B 76F45DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenProcessToken + 6 76F45DDE 4 Bytes [A8, 13, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenProcessToken + B 76F45DE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenProcessTokenEx + 6 76F45DEE 4 Bytes [68, 14, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenProcessTokenEx + B 76F45DF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenSection + 6 76F45E0E 4 Bytes CALL 75F46525 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenSection + B 76F45E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenThread + 6 76F45E4E 4 Bytes [28, 13, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenThread + B 76F45E53 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenThreadToken + 6 76F45E5E 4 Bytes [28, 14, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenThreadToken + B 76F45E63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenThreadTokenEx + 6 76F45E6E 4 Bytes [A8, 14, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtOpenThreadTokenEx + B 76F45E73 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtQueryAttributesFile + 6 76F45F7E 4 Bytes [A8, 10, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtQueryAttributesFile + B 76F45F83 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtQueryFullAttributesFile + 6 76F4602E 4 Bytes CALL 75F46743 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtQueryFullAttributesFile + B 76F46033 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtSetInformationFile + 6 76F4667E 4 Bytes [28, 11, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtSetInformationFile + B 76F46683 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtSetInformationThread + 6 76F466DE 4 Bytes CALL 75F46DF6 C:\Windows\system32\SHELL32.dll .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtSetInformationThread + B 76F466E3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtUnmapViewOfSection + 6 76F469FE 4 Bytes [28, 15, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ntdll.dll!NtUnmapViewOfSection + B 76F46A03 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] kernel32.dll!CreateProcessW 7597204D 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] kernel32.dll!CreateProcessA 75972082 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!ActivateKeyboardLayout 75528203 5 Bytes JMP 001704F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!ScreenToClient 7552A506 7 Bytes JMP 00170670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!RegisterClipboardFormatA 7552C091 5 Bytes JMP 001702F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!RegisterClipboardFormatW 7552DF8D 5 Bytes JMP 001702B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!SetCursor 75533075 5 Bytes JMP 00170530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!MonitorFromWindow 75533622 7 Bytes JMP 00170630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!PostMessageW 7553447B 5 Bytes JMP 001705F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!IsWindowVisible 75534D69 7 Bytes JMP 001706B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClientRect 755354DD 7 Bytes JMP 001705B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!MapWindowPoints 75535CAA 5 Bytes JMP 00170570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetParent 75536029 7 Bytes JMP 001706F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!EmptyClipboard 7554290C 5 Bytes JMP 00170130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!SetClipboardData 75542962 5 Bytes JMP 00170170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClipboardData 75542BA7 5 Bytes JMP 00170030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClipboardFormatNameW 75545FD2 5 Bytes JMP 00170230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!SetClipboardViewer 75546FF6 5 Bytes JMP 001704B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClipboardFormatNameA 7554700A 5 Bytes JMP 00170270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!ChangeClipboardChain 7555147C 5 Bytes JMP 00170430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetTopWindow 755524D9 7 Bytes JMP 00170730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!CloseClipboard 7555446C 5 Bytes JMP 001700B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!OpenClipboard 7555447E 5 Bytes JMP 00170070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!IsClipboardFormatAvailable 755544FF 5 Bytes JMP 001700F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClipboardSequenceNumber 75554513 5 Bytes JMP 00170330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClipboardOwner 75554525 5 Bytes JMP 00170370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!CountClipboardFormats 7555470A 5 Bytes JMP 001701F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!EnumClipboardFormats 755547EC 5 Bytes JMP 001701B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetOpenClipboardWindow 7555480B 5 Bytes JMP 001703F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!SetCursorPos 7556C1B0 5 Bytes JMP 00170770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetClipboardViewer 75584AF7 5 Bytes JMP 00170470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] user32.DLL!GetPriorityClipboardFormat 75584BF9 5 Bytes JMP 001703B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!DeleteObject 770D5F14 5 Bytes JMP 001801B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SelectObject 770D6640 5 Bytes JMP 001805F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetTextColor 770D6906 5 Bytes JMP 00180A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetBkMode 770D69B1 5 Bytes JMP 001808F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!DeleteDC 770D6EAA 5 Bytes JMP 00180170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetDeviceCaps 770D6F7F 5 Bytes JMP 001803B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!ExtSelectClipRgn 770D7114 5 Bytes JMP 001802F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SelectClipRgn 770D7242 5 Bytes JMP 001805B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetStretchBltMode 770D7705 5 Bytes JMP 001806B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetCurrentObject 770D7917 5 Bytes JMP 00180370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextMetricsW 770D7B8F 5 Bytes JMP 00180E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextAlign 770D7DAF 5 Bytes JMP 00180D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!IntersectClipRect 770D7DFE 5 Bytes JMP 001803F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!ExtTextOutW 770D8192 5 Bytes JMP 00180970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetTextAlign 770D828E 5 Bytes JMP 001809F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetClipBox 770D8525 5 Bytes JMP 00180330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!MoveToEx 770D8C21 5 Bytes JMP 00180470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!StretchDIBits 770DA53E 5 Bytes JMP 00180770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!RestoreDC 770DA67B 5 Bytes JMP 00180530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SaveDC 770DA74B 5 Bytes JMP 00180570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextExtentPoint32W 770DB4B5 5 Bytes JMP 00180670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextFaceW 770DB73A 2 Bytes JMP 00180D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextFaceW + 3 770DB73D 2 Bytes [0A, 89] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetFontData 770DBCC4 5 Bytes JMP 00180C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetWorldTransform 770DC90A 5 Bytes JMP 001806F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!CreateDCA 770DCCA9 5 Bytes JMP 001800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!CreateDCW 770DCF79 5 Bytes JMP 001800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!CreateICW 770DCFD0 5 Bytes JMP 00180130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextMetricsA 770DD0F2 5 Bytes JMP 00180DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!Rectangle 770DF1E7 5 Bytes JMP 001809B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!LineTo 770DF583 5 Bytes JMP 00180430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetICMMode 770DFA8C 5 Bytes JMP 00180DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!ExtTextOutA 770E0D08 5 Bytes JMP 00180930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextExtentPoint32A 770E1167 5 Bytes JMP 00180630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!ExtEscape 770E2D31 5 Bytes JMP 001802B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!Escape 770E33E8 5 Bytes JMP 00180270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!ResetDCW 770E3A83 5 Bytes JMP 00180AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!EndPage 770E40C2 5 Bytes JMP 00180230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetPolyFillMode 770E67C9 5 Bytes JMP 00180B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SetMiterLimit 770E6985 5 Bytes JMP 00180B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetTextFaceA 770F0D12 5 Bytes JMP 00180CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!GetGlyphOutlineW 770FC32A 5 Bytes JMP 00180CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!CreateScalableFontResourceW 770FE987 5 Bytes JMP 00180BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!AddFontResourceW 770FED83 5 Bytes JMP 00180BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!RemoveFontResourceW 770FF279 5 Bytes JMP 00180C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!AbortDoc 77104E79 5 Bytes JMP 00180030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!EndDoc 771052C0 5 Bytes JMP 001801F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!StartPage 771053AB 5 Bytes JMP 00180730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!StartDocW 77105DC6 5 Bytes JMP 001807F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!BeginPath 7710656D 5 Bytes JMP 00180830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!SelectClipPath 771065C4 5 Bytes JMP 00180AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!CloseFigure 7710661F 5 Bytes JMP 00180070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!EndPath 77106676 5 Bytes JMP 00180A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!StrokePath 771068A9 5 Bytes JMP 001807B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!FillPath 77106936 5 Bytes JMP 00180870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!PolylineTo 77106DA4 5 Bytes JMP 001804F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!PolyBezierTo 77106E35 5 Bytes JMP 001804B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] GDI32.dll!PolyDraw 77106EE7 5 Bytes JMP 001808B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ole32.dll!OleSetClipboard 75280045 5 Bytes JMP 001A0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ole32.dll!OleIsCurrentClipboard 752836B2 5 Bytes JMP 001A0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe[1452] ole32.dll!OleGetClipboard 752AFDCD 5 Bytes JMP 001A00B0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtCreateFile 76F45608 5 Bytes JMP 604A9870 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtFlushBuffersFile 76F45998 5 Bytes JMP 6019D335 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtQueryFullAttributesFile 76F46028 5 Bytes JMP 6019D5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtReadFile 76F462F8 5 Bytes JMP 6019D390 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtReadFileScatter 76F46308 5 Bytes JMP 60E08330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtWriteFile 76F46AA8 5 Bytes JMP 604AA7F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!NtWriteFileGather 76F46AB8 5 Bytes JMP 60E082DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] ntdll.dll!LdrLoadDll 76F622AE 4 Bytes JMP 63321F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 759B94E6 7 Bytes JMP 60D49960 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] kernel32.dll!QueryPerformanceCounter + 13 759BC4E5 7 Bytes JMP 60D49983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] kernel32.dll!LoadAppInitDlls + 355 759BF5A6 7 Bytes JMP 604A6164 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] USER32.dll!GetWindowInfo 75534B5E 5 Bytes JMP 60C4B65E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2068] GDI32.dll!GetViewportOrgEx + 26C 770D884B 7 Bytes JMP 60D498E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2880] USER32.dll!RegisterMessagePumpHook + 2F1 75528B9E 7 Bytes JMP 6074E0A4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2880] USER32.dll!IsDialogMessageW + 340 75534444 7 Bytes JMP 6074E115 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2880] USER32.dll!GetWindowInfo 75534B5E 5 Bytes JMP 60752007 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2880] USER32.dll!ToUnicodeEx + 71 75542223 7 Bytes JMP 6074B804 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A1249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739F5652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [739F5710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A1251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A0857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A04D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A050D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A051AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A066DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A082D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A08824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A09085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A0E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A04C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73A1249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [739F5652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [739F5710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73A1251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73A0857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73A04D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73A050D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73A051AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A066DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73A082D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73A08824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73A09085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73A0E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[4824] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73A04C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ee9794 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x9E 0x0F 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x30 0xFB 0x11 0xCF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ee9794 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x9E 0x0F 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x30 0xFB 0x11 0xCF ... ---- EOF - GMER 2.1 ----