GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-05 14:59:43 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\0000006e ST1000DM rev.CC4B 931,51GB Running: qq2g6bn7.exe; Driver: C:\Users\MarcinJ\AppData\Local\Temp\kwdyikod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x929E1370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x929E1430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x929E13F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x929E13B0] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x83255FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [83255FEC] ZwCreateKey [0x83255FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x83255FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [83255FF1] ZwOpenKey [0x83255FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 83255FFB INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) 926AA16D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) 926A9FC2 Code \??\C:\Windows\system32\drivers\hitmanpro37.sys ZwAllocateVirtualMemory [0xA3DBE3EC] Code \??\C:\Windows\system32\drivers\hitmanpro37.sys NtAllocateVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1495 832929E5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832CC312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 832D3644 3 Bytes [EC, 5F, 25] .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 832D3688 4 Bytes [70, 13, 9E, 92] {JO 0x15; SAHF ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 832D3798 4 Bytes [30, 14, 9E, 92] {XOR [ESI+EBX*4], DL; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 137F 832D3804 3 Bytes [F1, 5F, 25] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 832D3AA4 4 Bytes [F0, 13, 9E, 92] .text ... PAGE ntkrnlpa.exe!NtAllocateVirtualMemory 83480DD8 5 Bytes JMP A3DBE3F0 \??\C:\Windows\system32\drivers\hitmanpro37.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9B207000, 0x174C8A, 0xE8000020] .text C:\Windows\system32\drivers\aksfridge.sys section is writeable [0x926B4000, 0x49C57, 0xE0000020] .init C:\Windows\system32\drivers\aksfridge.sys entry point in ".init" section [0x9270B224] .init C:\Windows\system32\drivers\aksfridge.sys unknown last code section [0x9270B000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9270F400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9279A020] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9279A020] .protect˙˙˙˙hardlockunknown last code section [0x92799E00, 0x50BA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x92799E00, 0x50BA, 0xE0000020] ? C:\Windows\system32\drivers\hitmanpro37.sys Nie można odnaleźć określonego pliku. ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtCreateFile + 6 7747560E 4 Bytes [28, 00, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtCreateFile + B 77475613 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtMapViewOfSection + 6 77475C6E 1 Byte [28] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtMapViewOfSection + 6 77475C6E 4 Bytes [28, 03, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtMapViewOfSection + B 77475C73 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenFile + 6 77475D1E 4 Bytes [68, 00, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenFile + B 77475D23 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenProcess + 6 77475DCE 4 Bytes [A8, 01, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenProcess + B 77475DD3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenProcessToken + B 77475DE3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenProcessTokenEx + 6 77475DEE 4 Bytes [A8, 02, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenProcessTokenEx + B 77475DF3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenThread + 6 77475E4E 4 Bytes [68, 01, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenThread + B 77475E53 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenThreadToken + 6 77475E5E 4 Bytes [68, 02, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenThreadToken + B 77475E63 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtOpenThreadTokenEx + B 77475E73 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtQueryAttributesFile + 6 77475F7E 4 Bytes [A8, 00, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtQueryAttributesFile + B 77475F83 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtQueryFullAttributesFile + B 77476033 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtSetInformationFile + 6 7747667E 4 Bytes [28, 01, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtSetInformationFile + B 77476683 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtSetInformationThread + 6 774766DE 4 Bytes [28, 02, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtSetInformationThread + B 774766E3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtUnmapViewOfSection + 6 774769FE 1 Byte [68] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtUnmapViewOfSection + 6 774769FE 4 Bytes [68, 03, 37, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe[1076] ntdll.dll!NtUnmapViewOfSection + B 77476A03 1 Byte [E2] .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1820] kernel32.dll!SetUnhandledExceptionFilter 759DF5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Microsoft Office\Office14\EXCEL.EXE[2144] kernel32.dll!SetUnhandledExceptionFilter 759DF5AB 5 Bytes JMP 5C073843 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office14\EXCEL.EXE[2144] ole32.dll!OleLoadFromStream 767D6143 5 Bytes JMP 5CD0DE54 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[3240] kernel32.dll!SetUnhandledExceptionFilter 759DF5AB 5 Bytes JMP 5C073843 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE[3240] ole32.dll!OleLoadFromStream 767D6143 5 Bytes JMP 5CD0DE54 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtAddAtom + 6 7747526E 4 Bytes [A8, CD, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtAddAtom + B 77475273 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateEvent + 6 774755EE 4 Bytes [68, C9, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateEvent + B 774755F3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateFile + 6 7747560E 4 Bytes [28, C8, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateFile + B 77475613 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateKey + 6 7747564E 4 Bytes CALL 7648131C C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateKey + B 77475653 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateMutant + 6 7747568E 4 Bytes CALL 7648135D C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateMutant + B 77475693 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateSection + 6 7747572E 4 Bytes [28, CB, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtCreateSection + B 77475733 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtDeleteAtom + 6 7747581E 4 Bytes [28, CE, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtDeleteAtom + B 77475823 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtDeleteValueKey + 6 7747588E 4 Bytes [A8, CB, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtDeleteValueKey + B 77475893 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtFindAtom + 6 7747598E 4 Bytes CALL 76481660 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtFindAtom + B 77475993 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtMapViewOfSection + 6 77475C6E 4 Bytes [A8, CE, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtMapViewOfSection + B 77475C73 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenEvent + 6 77475CFE 4 Bytes [A8, C9, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenEvent + B 77475D03 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenFile + 6 77475D1E 4 Bytes [68, C8, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenFile + B 77475D23 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenKey + 6 77475D4E 4 Bytes [28, CA, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenKey + B 77475D53 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenKeyEx + 6 77475D5E 4 Bytes [68, CA, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenKeyEx + B 77475D63 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenMutant + 6 77475D9E 4 Bytes [A8, CA, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenMutant + B 77475DA3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenProcess + 6 77475DCE 4 Bytes [28, CC, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenProcess + B 77475DD3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenProcessToken + 6 77475DDE 4 Bytes [68, CC, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenProcessToken + B 77475DE3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenProcessTokenEx + 6 77475DEE 4 Bytes [28, CD, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenProcessTokenEx + B 77475DF3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenSection + 6 77475E0E 4 Bytes [68, CB, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenSection + B 77475E13 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenThread + 6 77475E4E 4 Bytes CALL 76481B1E C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenThread + B 77475E53 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenThreadToken + 6 77475E5E 4 Bytes CALL 76481B2F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenThreadToken + B 77475E63 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenThreadTokenEx + 6 77475E6E 4 Bytes [68, CD, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtOpenThreadTokenEx + B 77475E73 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtQueryAttributesFile + 6 77475F7E 4 Bytes [A8, C8, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtQueryAttributesFile + B 77475F83 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtQueryFullAttributesFile + 6 7747602E 4 Bytes CALL 76481CFB C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtQueryFullAttributesFile + B 77476033 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtQueryInformationAtom + 6 7747603E 4 Bytes [68, CE, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtQueryInformationAtom + B 77476043 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtSetInformationFile + 6 7747667E 4 Bytes [28, C9, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtSetInformationFile + B 77476683 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtSetInformationThread + 6 774766DE 4 Bytes [A8, CC, BC, 00] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtSetInformationThread + B 774766E3 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtUnmapViewOfSection + 6 774769FE 4 Bytes CALL 764826D1 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ntdll.dll!NtUnmapViewOfSection + B 77476A03 1 Byte [E2] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] kernel32.dll!CreateProcessW 7599204D 5 Bytes JMP 00BD0030 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] kernel32.dll!CreateProcessA 75992082 5 Bytes JMP 00BD0070 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!ActivateKeyboardLayout 76938203 5 Bytes JMP 00BF03F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!EmptyClipboard 7695290C 5 Bytes JMP 00BF0130 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!SetClipboardData 76952962 5 Bytes JMP 00BF0170 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetClipboardData 76952BA7 5 Bytes JMP 00BF0030 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetClipboardFormatNameW 76955FD2 5 Bytes JMP 00BF0230 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetClipboardFormatNameA 7695700A 5 Bytes JMP 00BF0270 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!CloseClipboard 7696446C 5 Bytes JMP 00BF00B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!OpenClipboard 7696447E 5 Bytes JMP 00BF0070 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!IsClipboardFormatAvailable 769644FF 5 Bytes JMP 00BF00F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetClipboardSequenceNumber 76964513 5 Bytes JMP 00BF02B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetClipboardOwner 76964525 5 Bytes JMP 00BF02F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!CountClipboardFormats 7696470A 5 Bytes JMP 00BF01F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!EnumClipboardFormats 769647EC 5 Bytes JMP 00BF01B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetOpenClipboardWindow 7696480B 5 Bytes JMP 00BF0370 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetClipboardViewer 76994AF7 5 Bytes JMP 00BF03B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] USER32.dll!GetPriorityClipboardFormat 76994BF9 5 Bytes JMP 00BF0330 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!DeleteObject 75A85F14 5 Bytes JMP 00C001B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SelectObject 75A86640 5 Bytes JMP 00C005B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetTextColor 75A86906 5 Bytes JMP 00C00970 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetBkMode 75A869B1 5 Bytes JMP 00C00830 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!DeleteDC 75A86EAA 5 Bytes JMP 00C00170 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetDeviceCaps 75A86F7F 5 Bytes JMP 00C00370 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!ExtSelectClipRgn 75A87114 5 Bytes JMP 00C002F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SelectClipRgn 75A87242 5 Bytes JMP 00C00570 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetStretchBltMode 75A87705 5 Bytes JMP 00C005F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetTextMetricsW 75A87B8F 5 Bytes JMP 00C00D30 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!IntersectClipRect 75A87DFE 5 Bytes JMP 00C003B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!ExtTextOutW 75A88192 5 Bytes JMP 00C008B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetTextAlign 75A8828E 5 Bytes JMP 00C00930 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetClipBox 75A88525 5 Bytes JMP 00C00330 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!MoveToEx 75A88C21 5 Bytes JMP 00C00430 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!StretchDIBits 75A8A53E 5 Bytes JMP 00C006B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!RestoreDC 75A8A67B 5 Bytes JMP 00C004F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SaveDC 75A8A74B 5 Bytes JMP 00C00530 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetTextFaceW 75A8B73A 2 Bytes JMP 00C00C70 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetTextFaceW + 3 75A8B73D 2 Bytes [17, 8B] .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetFontData 75A8BCC4 5 Bytes JMP 00C00BB0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetWorldTransform 75A8C90A 5 Bytes JMP 00C00630 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!CreateDCA 75A8CCA9 5 Bytes JMP 00C000B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!CreateDCW 75A8CF79 5 Bytes JMP 00C000F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!CreateICW 75A8CFD0 5 Bytes JMP 00C00130 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetTextMetricsA 75A8D0F2 5 Bytes JMP 00C00CF0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!Rectangle 75A8F1E7 5 Bytes JMP 00C008F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!LineTo 75A8F583 5 Bytes JMP 00C003F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetICMMode 75A8FA8C 5 Bytes JMP 00C00CB0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!ExtTextOutA 75A90D08 5 Bytes JMP 00C00870 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!ExtEscape 75A92D31 5 Bytes JMP 00C002B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!Escape 75A933E8 5 Bytes JMP 00C00270 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!ResetDCW 75A93A83 5 Bytes JMP 00C009F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!EndPage 75A940C2 5 Bytes JMP 00C00230 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetPolyFillMode 75A967C9 5 Bytes JMP 00C00A70 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SetMiterLimit 75A96985 5 Bytes JMP 00C00AB0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetTextFaceA 75AA0D12 5 Bytes JMP 00C00C30 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!GetGlyphOutlineW 75AAC32A 5 Bytes JMP 00C00BF0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!CreateScalableFontResourceW 75AAE987 5 Bytes JMP 00C00AF0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!AddFontResourceW 75AAED83 5 Bytes JMP 00C00B30 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!RemoveFontResourceW 75AAF279 5 Bytes JMP 00C00B70 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!AbortDoc 75AB4E79 5 Bytes JMP 00C00030 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!EndDoc 75AB52C0 5 Bytes JMP 00C001F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!StartPage 75AB53AB 5 Bytes JMP 00C00670 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!StartDocW 75AB5DC6 5 Bytes JMP 00C00730 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!BeginPath 75AB656D 5 Bytes JMP 00C00770 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!SelectClipPath 75AB65C4 5 Bytes JMP 00C00A30 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!CloseFigure 75AB661F 5 Bytes JMP 00C00070 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!EndPath 75AB6676 5 Bytes JMP 00C009B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!StrokePath 75AB68A9 5 Bytes JMP 00C006F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!FillPath 75AB6936 5 Bytes JMP 00C007B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!PolylineTo 75AB6DA4 5 Bytes JMP 00C004B0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!PolyBezierTo 75AB6E35 5 Bytes JMP 00C00470 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] GDI32.dll!PolyDraw 75AB6EE7 5 Bytes JMP 00C007F0 .text C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] ole32.dll!OleSetClipboard 76830045 5 Bytes JMP 00C90030 .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!SetScrollRange 76938EC5 5 Bytes JMP 00366F71 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!GetScrollInfo 76942DA3 5 Bytes JMP 00366EF8 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!SetScrollInfo 769448DA 5 Bytes JMP 00366FAE C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!GetScrollRange 7696045A 5 Bytes JMP 00366E8F C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!SetScrollPos 769604BE 5 Bytes JMP 00366E64 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!GetScrollPos 76960E43 5 Bytes JMP 00366ECD C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!EnableScrollBar 769619CE 5 Bytes JMP 00366FE8 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[3988] USER32.dll!ShowScrollBar 76963C89 5 Bytes JMP 00366F31 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtCreateFile 77475608 5 Bytes JMP 0FE2148B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtFlushBuffersFile 77475998 5 Bytes JMP 0FE211CB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtQueryFullAttributesFile 77476028 5 Bytes JMP 0FE21300 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtReadFile 774762F8 5 Bytes JMP 0FE21205 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtReadFileScatter 77476308 5 Bytes JMP 106B834C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtWriteFile 77476AA8 5 Bytes JMP 0FE2162F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!NtWriteFileGather 77476AB8 5 Bytes JMP 106B839C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] ntdll.dll!LdrLoadDll 774922AE 5 Bytes JMP 7382A7B0 C:\Program Files\Mozilla Firefox\mozglue.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 759D94E6 7 Bytes JMP 106A184D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] kernel32.dll!QueryPerformanceCounter + 13 759DC4E5 7 Bytes JMP 106A21C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] kernel32.dll!LoadAppInitDlls + 355 759DF5A6 7 Bytes JMP 1041FB76 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] USER32.dll!GetWindowInfo 76944B5E 5 Bytes JMP 11163FBD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5144] GDI32.dll!GetViewportOrgEx + 26C 75A8884B 7 Bytes JMP 106A118A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7405249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74035652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74035710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7405251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7404857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74044D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740450D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740451AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [740466DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740482D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74048824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74049085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7404E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74044C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] 00BD00D0 IAT C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] 00BD00D0 IAT C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] 00BD0090 IAT C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe[3324] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!MoveFileExW] 00BD0090 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp networx.sys (NetFilter SDK TDI Hook Driver (WPP)/NetFilterSDK.com) Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys (Ancillary Function Driver/SafeNet Inc.) AttachedDevice \Driver\tdx \Device\Udp networx.sys (NetFilter SDK TDI Hook Driver (WPP)/NetFilterSDK.com) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x08 0xD2 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x74 0x08 0xD2 0xAE ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG18.00.00.01PROFESSIONAL B13214FA4EF4C17D68F14DA1453AACC7AC6978ADA60028B5D56170F4B626143DC83A5AC7DA7892D01139B135D1878DE63A6B37573C0DFE9387109DBEF3E78CB36E1912DD3798F6A8E93A8C8D9E6353A09B83FB22686C9975BA96B18A8B750211D2DD2D842722ADEBD9E1AB5DB74B28178CA290489BEAAFD59D8616BB758F56C93A5CD368C8E2E629D8E71439FBBEA98FD9FDF6E69CDA6DD4F3B6E6197977E1F47DABDE1B08AE4791F5417B1B1F44EA75668EE28182FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A9C6AECB7A5D1407A2D97226D213B555A6171C11EC38DE3D58954CA77AE87C3926A7ED0AB8642A7AF21CCAD281DF0BD766F76941242EE159E71797CC290B026FEDA7F67AAA059B7D6DFA9898CB2C22B1C99D26B6AC9DBBAA60C59DFB01CFC8F41B0E9A41ACBEEF4F1708318AEEDBC4455F0F583E23D3F918AE7D67BB932422F348A319B94EFC027E5D18AEF69C7778A885CF953B7D9AE85B428F2226B2AD426D97A55A51E5E091703376D1C14CBCA3459F581525F069B8828E429DE57944C234AD47E50A8BBF3F5E0C627CE1B71D12581315318AF7F0FD728B4D50BFC1F0A270B22FEB7A9DA09255E2903661DC3FF2F3CBE46C89559231DF345FD386AB75429E52F43DCC3CC0F535B5A5A861FD7B5AFEB89CE Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@6CCCF8AF 545 ---- EOF - GMER 2.1 ----