GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-29 12:16:22 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0001SDM1 Running: CCleaner.lnk.exe; Driver: C:\Users\Martyna\AppData\Local\Temp\uxldapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwAlpcSendWaitReceivePort [0x8BAB76B4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEvent [0x8BAB6F84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEventPair [0x8BAB7008] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateIoCompletion [0x8BAB71A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateMutant [0x8BAB6E80] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSection [0x8BAB7084] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSemaphore [0x8BAB6F02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateTimer [0x8BAB7124] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwLoadDriver [0x8BAB52E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEvent [0x8BAB6FCA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEventPair [0x8BAB7046] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenIoCompletion [0x8BAB71E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenMutant [0x8BAB6EC4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSection [0x8BAB70DA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSemaphore [0x8BAB6F46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenTimer [0x8BAB7166] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryObject [0x8BAB5E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePort [0x8BAB7B0A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePortEx [0x8BAB7672] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSetSystemInformation [0x8BAB5352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwShutdownSystem [0x8BAB548E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSystemDebugControl [0x8BAB54A0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8BBD350A] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A893C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC2D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 82AC9DF8 4 Bytes [B4, 76, AB, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82AC9E5C 8 Bytes [84, 6F, AB, 8B, 08, 70, AB, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82AC9E68 4 Bytes [A4, 71, AB, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82AC9E84 4 Bytes [80, 6E, AB, 8B] {SUB BYTE [ESI-0x55], 0x8b} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82AC9EAC 8 Bytes [84, 70, AB, 8B, 02, 6F, AB, ...] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C56C64 5 Bytes JMP 8BBCF4AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82C6F290 5 Bytes JMP 8BBD09E4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D2811A 7 Bytes JMP 8BBD350E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ---- User code sections - GMER 1.0.15 ---- ? C:\Windows\system32\services.exe[464] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2724] USER32.dll!GetWindowInfo 77064B5E 5 Bytes JMP 6520BACC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2724] USER32.dll!ToUnicodeEx + 71 77072223 7 Bytes JMP 6520C0F9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] ntdll.dll!LdrGetProcedureAddress + 26 77652239 7 Bytes JMP 6508B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76EA93D6 7 Bytes JMP 6533B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] kernel32.dll!QueryPerformanceCounter + 13 76EAC435 7 Bytes JMP 6533B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3096] GDI32.dll!GetViewportOrgEx + 26C 7742884B 7 Bytes JMP 6533B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Windows Live\Family Safety\fsssvc.exe[3116] ADVAPI32.dll!RegOpenKeyExA 77134907 5 Bytes JMP 01273EEE C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Windows Live Family Safety Service/Microsoft Corporation) .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateFile + 6 776355CE 4 Bytes [28, 00, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateFile + B 776355D3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateKey + 6 7763560E 4 Bytes [68, 01, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateKey + B 77635613 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateMutant + 6 7763564E 4 Bytes [68, 02, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateMutant + B 77635653 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateSection + 6 776356EE 4 Bytes [A8, 02, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtCreateSection + B 776356F3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtMapViewOfSection + B 77635C33 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenFile + 6 77635CDE 4 Bytes [68, 00, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenFile + B 77635CE3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenKey + 6 77635D0E 4 Bytes [A8, 01, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenKey + B 77635D13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenKeyEx + B 77635D23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenMutant + 6 77635D5E 4 Bytes [28, 02, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenMutant + B 77635D63 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcess + 6 77635D8E 1 Byte [68] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcess + 6 77635D8E 4 Bytes [68, 03, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcess + B 77635D93 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcessToken + 6 77635D9E 1 Byte [A8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcessToken + 6 77635D9E 4 Bytes [A8, 03, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcessToken + B 77635DA3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcessTokenEx + 6 77635DAE 4 Bytes [68, 04, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenProcessTokenEx + B 77635DB3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenSection + B 77635DD3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThread + 6 77635E0E 1 Byte [28] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThread + 6 77635E0E 4 Bytes [28, 03, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThread + B 77635E13 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThreadToken + 6 77635E1E 4 Bytes [28, 04, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThreadToken + B 77635E23 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThreadTokenEx + 6 77635E2E 4 Bytes [A8, 04, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtOpenThreadTokenEx + B 77635E33 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtQueryAttributesFile + 6 77635F3E 4 Bytes [A8, 00, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtQueryAttributesFile + B 77635F43 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtQueryFullAttributesFile + B 77635FF3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtSetInformationFile + 6 7763663E 4 Bytes [28, 01, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtSetInformationFile + B 77636643 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtSetInformationThread + 6 7763669E 1 Byte [E8] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtSetInformationThread + B 776366A3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtUnmapViewOfSection + 6 776369BE 4 Bytes [28, 05, 07, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ntdll.dll!NtUnmapViewOfSection + B 776369C3 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] kernel32.dll!CreateProcessW 76E6204D 5 Bytes JMP 00010030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] kernel32.dll!CreateProcessA 76E62082 5 Bytes JMP 00010070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!DeleteObject 77425F14 5 Bytes JMP 000A01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SelectObject 77426640 5 Bytes JMP 000A05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetTextColor 77426906 5 Bytes JMP 000A09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetBkMode 774269B1 5 Bytes JMP 000A08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!DeleteDC 77426EAA 5 Bytes JMP 000A0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetDeviceCaps 77426F7F 5 Bytes JMP 000A03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!ExtSelectClipRgn 77427114 5 Bytes JMP 000A02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SelectClipRgn 77427242 5 Bytes JMP 000A05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetStretchBltMode 77427705 5 Bytes JMP 000A0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetCurrentObject 77427917 5 Bytes JMP 000A0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextMetricsW 77427B8F 5 Bytes JMP 000A0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextAlign 77427DAF 5 Bytes JMP 000A0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!IntersectClipRect 77427DFE 5 Bytes JMP 000A03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!ExtTextOutW 77428192 5 Bytes JMP 000A0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetTextAlign 7742828E 5 Bytes JMP 000A09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetClipBox 77428525 5 Bytes JMP 000A0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!MoveToEx 77428C21 5 Bytes JMP 000A0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!StretchDIBits 7742A53E 5 Bytes JMP 000A0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!RestoreDC 7742A67B 5 Bytes JMP 000A0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SaveDC 7742A74B 5 Bytes JMP 000A0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextExtentPoint32W 7742B4B5 5 Bytes JMP 000A0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextFaceW 7742B73A 2 Bytes JMP 000A0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextFaceW + 3 7742B73D 2 Bytes [C7, 88] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetFontData 7742BCC4 5 Bytes JMP 000A0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetWorldTransform 7742C90A 5 Bytes JMP 000A06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!CreateDCA 7742CCA9 5 Bytes JMP 000A00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!CreateDCW 7742CF79 5 Bytes JMP 000A00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!CreateICW 7742CFD0 5 Bytes JMP 000A0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextMetricsA 7742D0F2 5 Bytes JMP 000A0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!Rectangle 7742F1FF 5 Bytes JMP 000A0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!LineTo 7742F59B 5 Bytes JMP 000A0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetICMMode 7742FAA4 5 Bytes JMP 000A0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!ExtTextOutA 774303F9 5 Bytes JMP 000A08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!ExtEscape 77432949 5 Bytes JMP 000A02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!Escape 77433939 5 Bytes JMP 000A0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetTextFaceA 77433E6A 5 Bytes JMP 000A0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetPolyFillMode 7743D851 5 Bytes JMP 000A0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SetMiterLimit 7743DA0D 5 Bytes JMP 000A0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!EndPage 774400D7 5 Bytes JMP 000A0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!ResetDCW 7744050D 5 Bytes JMP 000A0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!GetGlyphOutlineW 7744C1BA 5 Bytes JMP 000A0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!CreateScalableFontResourceW 7744E817 5 Bytes JMP 000A0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!AddFontResourceW 7744EC13 5 Bytes JMP 000A0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!RemoveFontResourceW 7744F109 5 Bytes JMP 000A0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!AbortDoc 77454C63 5 Bytes JMP 000A0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!EndDoc 774550AA 5 Bytes JMP 000A01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!StartPage 77455195 5 Bytes JMP 000A06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!StartDocW 77455BB0 5 Bytes JMP 000A07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!BeginPath 7745635D 5 Bytes JMP 000A07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!SelectClipPath 774563B4 5 Bytes JMP 000A0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!CloseFigure 7745640F 5 Bytes JMP 000A0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!EndPath 77456466 5 Bytes JMP 000A0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!StrokePath 77456699 5 Bytes JMP 000A0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!FillPath 77456726 5 Bytes JMP 000A0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!PolylineTo 77456B94 5 Bytes JMP 000A04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!PolyBezierTo 77456C25 5 Bytes JMP 000A04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] GDI32.dll!PolyDraw 77456CD7 5 Bytes JMP 000A0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!ActivateKeyboardLayout 77058203 5 Bytes JMP 000B04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!ScreenToClient 7705A506 7 Bytes JMP 000B0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!RegisterClipboardFormatA 7705C091 5 Bytes JMP 000B02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!RegisterClipboardFormatW 7705DF8D 5 Bytes JMP 000B02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!SetCursor 77063075 5 Bytes JMP 000B0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!MonitorFromWindow 77063622 7 Bytes JMP 000B0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!PostMessageW 7706447B 5 Bytes JMP 000B05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!IsWindowVisible 77064D69 7 Bytes JMP 000B06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClientRect 770654DD 7 Bytes JMP 000B05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!MapWindowPoints 77065CAA 5 Bytes JMP 000B0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetParent 77066029 7 Bytes JMP 000B06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!EmptyClipboard 7707290C 5 Bytes JMP 000B0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!SetClipboardData 77072962 5 Bytes JMP 000B0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClipboardData 77072BA7 5 Bytes JMP 000B0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClipboardFormatNameW 77075FD2 5 Bytes JMP 000B0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!SetClipboardViewer 77076FF6 5 Bytes JMP 000B04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClipboardFormatNameA 7707700A 5 Bytes JMP 000B0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!ChangeClipboardChain 7708147C 5 Bytes JMP 000B0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetTopWindow 770824D9 7 Bytes JMP 000B0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!CloseClipboard 7708446C 5 Bytes JMP 000B00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!OpenClipboard 7708447E 5 Bytes JMP 000B0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!IsClipboardFormatAvailable 770844FF 5 Bytes JMP 000B00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClipboardSequenceNumber 77084513 5 Bytes JMP 000B0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClipboardOwner 77084525 5 Bytes JMP 000B0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!CountClipboardFormats 7708470A 5 Bytes JMP 000B01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!EnumClipboardFormats 770847EC 5 Bytes JMP 000B01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetOpenClipboardWindow 7708480B 5 Bytes JMP 000B03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!SetCursorPos 7709C1B0 5 Bytes JMP 000B0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetClipboardViewer 770B4AF7 5 Bytes JMP 000B0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] USER32.dll!GetPriorityClipboardFormat 770B4BF9 5 Bytes JMP 000B03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ole32.dll!OleSetClipboard 76D40045 5 Bytes JMP 000C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ole32.dll!OleIsCurrentClipboard 76D436B2 5 Bytes JMP 000C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] ole32.dll!OleGetClipboard 76D6FDCD 5 Bytes JMP 000C00B0 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 51EC8B55 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 8B565351 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] FF560875 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] BD510815 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 85D88B00 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] C2840FDB IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 57000000 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 0068406A IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] FF000010 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 006A5073 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 508415FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] F88B00BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 85FC7D89 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] 9E840FFF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 8B000000 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] A4F3544B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 1443B70F IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 0653B70F IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 1818448D IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] 8B0CC083 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 08758B08 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] 03FC7D8B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 8BF903F1 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] C083FC48 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] A4F34A28 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 758BE975 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 443D8BFC IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 2B00BD51 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 458D0875 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 056A50F8 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 75FF016A IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] 85D7FFFC IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] EB2574C0 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 04488B1D IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 56F84D29 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8B08508D IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] FC450300 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 52F8C183 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 5051E9D1 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 514015FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 7D8300BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] DD7500F8 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 50F8458D IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 016A016A IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FFFC75FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 74C085D7 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 0C488D20 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] C085018B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] F18B1774 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 03FC4D8B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] 15FF50C1 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] [00BD5080] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B14C683 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 75C08506 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FC458BEB IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] C95B5E5F IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 560004C2 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 7140BF57 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 8B5700BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 7C15FFF1 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 6A00BD50 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 3C83580F IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] BD715885 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] 09740000 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 8548C88B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] EBEF75C9 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 85348907 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] [00BD7158] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 3415FF57 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] 5F00BD50 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] 5756C35E IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] BD7140BF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] F18B5700 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 507C15FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 0F6A00BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 85343958 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] [00BD7158] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] C88B0974 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 75C98548 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 8308EBF0 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] 71588524 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 570000BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 503415FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 5E5F00BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 800068C3 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 006A0000 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 7815FF51 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 5000BD50 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 513C15FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 55C300BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5351EC8B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 35FF5756 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00BD7198] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 513815FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 8D5900BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] E8400044 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] 00002B8C IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] 75FFFC8B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] FC7D8908 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 719835FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EC6800BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 5700BD53 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 513415FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] DB3300BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 3910C483 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 6E7D085D IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FFF63357 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] BD507415 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 85F88B00 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 8D3774FF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 6A500845 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] FF575602 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] BD513015 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 7CC08500 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF556A25 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 15FFFC75 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] [00BD512C] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] C9335959 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] 08896657 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] FFFE1FE8 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85D88BFF IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8B0774DB IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] F72B0875 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF57F303 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] BD507015 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 74F68500 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] FC4D8B53 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] BD7084BA IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 85D6FF00 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 684575C0 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] 00008000 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 15FF5350 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] [00BD5078] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] 5D3936EB IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] BB31740C IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] [00BD7140] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 7C15FF53 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] BE00BD50 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] [00BD7194] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] C085068B IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] 4D8B0774 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] FFD78B08 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 83C68BD0 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 583D04EE IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] 7500BD71 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 15FF53E7 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] [00BD5034] C:\Windows\system32\smss.exe (Mened¿er sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 5FF0658D IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C2C95B5E IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 8B550008 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] B8EC81EC IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 53000008 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 0B6A5756 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 5420BE59 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] BD8D00BD IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] FFFFFF4C IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 526AA5F3 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] 858DFF33 IAT C:\Windows\system32\services.exe[464] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] FFFFFF78 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!MoveFileExW] 00010090 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetFocus] 000B0790 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetKeyState] 000B07D0 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] 00010090 IAT C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe[3396] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!MoveFileExW] 00010090 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000005c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software) ---- EOF - GMER 1.0.15 ----