GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-15 14:47:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD10EARS-00MVWB0 rev.51.0AB51 931,51GB Running: qv18mn89.exe; Driver: C:\Users\Jerzy\AppData\Local\Temp\awddykog.sys ---- User code sections - GMER 2.0 ---- .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000075891401 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000075891419 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000075891431 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007589144a 2 bytes [89, 75] .text ... * 9 .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000758914dd 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000758914f5 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007589150d 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000075891525 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007589153d 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000075891555 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007589156d 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000075891585 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007589159d 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000758915b5 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000758915cd 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000758916b2 2 bytes [89, 75] .text C:\Users\Jerzy\Downloads\OTL.exe[2936] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000758916bd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000754f2da4 5 bytes JMP 000000016fcf9eb4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007550cbf3 5 bytes JMP 000000016fe48fb6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007550cfca 5 bytes JMP 000000016fc51893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007552cb0c 5 bytes JMP 000000016fe48f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007552ce64 5 bytes JMP 000000016fe4901b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007553fbd1 5 bytes JMP 000000016fe48ed8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007553fc9d 5 bytes JMP 000000016fe48e5f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007553fcd6 5 bytes JMP 000000016fe48dfb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007553fcfa 5 bytes JMP 000000016fe48d97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075c193ec 5 bytes JMP 000000016fe491d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075891401 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075891419 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075891431 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007589144a 2 bytes [89, 75] .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758914dd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758914f5 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007589150d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075891525 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007589153d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075891555 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007589156d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075891585 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007589159d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758915b5 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758915cd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758916b2 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758916bd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000072fc388e 5 bytes JMP 000000016fe49080 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073067922 5 bytes JMP 000000016fe49128 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[2844] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000756c2694 5 bytes JMP 000000016fe493c8 ? C:\Windows\system32\mssprxy.dll [2844] entry point in ".rdata" section 000000006e1071e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000776b25fd 6 bytes JMP 000000016fd18042 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000776c2a63 6 bytes JMP 000000016fcb9805 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000751034b5 5 bytes JMP 000000016fcb75db .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000754e8a29 5 bytes JMP 000000016fd203cf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000754ed22e 5 bytes JMP 000000016fcc363b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000754f291f 5 bytes JMP 000000016fc9ddab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000754f2da4 5 bytes JMP 000000016fcf9eb4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000754f6285 5 bytes JMP 000000016fd17fdf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000754f7603 5 bytes JMP 000000016fcf25ac .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000754fb029 5 bytes JMP 000000016fe49358 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000754fc63e 5 bytes JMP 000000016fe49390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000755050ed 5 bytes JMP 000000016fe49a52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000075505246 5 bytes JMP 000000016fe492e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!EndDialog 000000007550b99c 5 bytes JMP 000000016fe49d26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 000000007550c701 5 bytes JMP 000000016fe49a7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007550cbf3 5 bytes JMP 000000016fe48fb6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007550cfca 5 bytes JMP 000000016fc51893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007550eb96 5 bytes JMP 000000016fc9ded5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007550f52b 5 bytes JMP 000000016fd3ed00 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!SendInput 000000007550ff4a 5 bytes JMP 000000016fe4a2e9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000755110dc 5 bytes JMP 000000016fe49320 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000755114b2 5 bytes JMP 000000016fe4a341 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000075529cfd 5 bytes JMP 000000016fe4a3c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007552cb0c 5 bytes JMP 000000016fe48f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007552ce64 5 bytes JMP 000000016fe4901b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007553fbd1 5 bytes JMP 000000016fe48ed8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007553fc9d 5 bytes JMP 000000016fe48e5f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007553fcd6 5 bytes JMP 000000016fe48dfb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007553fcfa 5 bytes JMP 000000016fe48d97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\USER32.dll!keybd_event 00000000755402bf 5 bytes JMP 000000016fe4a2a6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075736143 5 bytes JMP 000000016fe49784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075bb3e59 5 bytes JMP 000000016fe4987c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075bb3eae 5 bytes JMP 000000016fe498fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075bb4731 5 bytes JMP 000000016fe497ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075bb5dee 5 bytes JMP 000000016fe4989a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075c193ec 5 bytes JMP 000000016fe491d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075891401 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075891419 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075891431 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007589144a 2 bytes [89, 75] .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758914dd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758914f5 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007589150d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075891525 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007589153d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075891555 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007589156d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075891585 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007589159d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758915b5 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758915cd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758916b2 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758916bd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000072fc388e 5 bytes JMP 000000016fe49080 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073067922 5 bytes JMP 000000016fe49128 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000756b33a3 5 bytes JMP 000000016fe4946c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000756c2694 5 bytes JMP 000000016fe493c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1268] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 00000000756ce8ff 5 bytes JMP 000000016fe49538 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000776b25fd 6 bytes JMP 000000016fd18042 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000776c2a63 6 bytes JMP 000000016fcb9805 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\kernel32.dll!CreateThread 00000000751034b5 5 bytes JMP 000000016fcb75db .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CreateWindowExW 00000000754e8a29 5 bytes JMP 000000016fd203cf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CreateWindowExA 00000000754ed22e 5 bytes JMP 000000016fcc363b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!GetKeyState 00000000754f291f 5 bytes JMP 000000016fc9ddab .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!EnableWindow 00000000754f2da4 5 bytes JMP 000000016fcf9eb4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CallNextHookEx 00000000754f6285 5 bytes JMP 000000016fd17fdf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000754f7603 5 bytes JMP 000000016fcf25ac .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 00000000754fb029 5 bytes JMP 000000016fe49358 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 00000000754fc63e 5 bytes JMP 000000016fe49390 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!IsDialogMessage 00000000755050ed 5 bytes JMP 000000016fe49a52 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000075505246 5 bytes JMP 000000016fe492e8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!EndDialog 000000007550b99c 5 bytes JMP 000000016fe49d26 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 000000007550c701 5 bytes JMP 000000016fe49a7a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007550cbf3 5 bytes JMP 000000016fe48fb6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007550cfca 5 bytes JMP 000000016fc51893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 000000007550eb96 5 bytes JMP 000000016fc9ded5 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007550f52b 5 bytes JMP 000000016fd3ed00 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!SendInput 000000007550ff4a 5 bytes JMP 000000016fe4a2e9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 00000000755110dc 5 bytes JMP 000000016fe49320 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!SetKeyboardState 00000000755114b2 5 bytes JMP 000000016fe4a341 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000075529cfd 5 bytes JMP 000000016fe4a3c2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007552cb0c 5 bytes JMP 000000016fe48f51 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007552ce64 5 bytes JMP 000000016fe4901b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 000000007553fbd1 5 bytes JMP 000000016fe48ed8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 000000007553fc9d 5 bytes JMP 000000016fe48e5f .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!MessageBoxExA 000000007553fcd6 5 bytes JMP 000000016fe48dfb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!MessageBoxExW 000000007553fcfa 5 bytes JMP 000000016fe48d97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\USER32.dll!keybd_event 00000000755402bf 5 bytes JMP 000000016fe4a2a6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075736143 5 bytes JMP 000000016fe49784 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000075bb3e59 5 bytes JMP 000000016fe4987c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000075bb3eae 5 bytes JMP 000000016fe498fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000075bb4731 5 bytes JMP 000000016fe497ee .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000075bb5dee 5 bytes JMP 000000016fe4989a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000075c193ec 5 bytes JMP 000000016fe491d0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075891401 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075891419 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075891431 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007589144a 2 bytes [89, 75] .text ... * 9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000758914dd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000758914f5 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007589150d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075891525 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007589153d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075891555 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007589156d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075891585 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007589159d 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000758915b5 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000758915cd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000758916b2 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000758916bd 2 bytes [89, 75] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 0000000072fc388e 5 bytes JMP 000000016fe49080 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000073067922 5 bytes JMP 000000016fe49128 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000756b33a3 5 bytes JMP 000000016fe4946c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000756c2694 5 bytes JMP 000000016fe493c8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[304] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 00000000756ce8ff 5 bytes JMP 000000016fe49538 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef9a52750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef9a52b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef9a57de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef9a58130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef9a51908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef9a51c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef9a581d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef9a52878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef9a57a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef9a56c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef9a577bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef9a57064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef9a56544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1684] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef9a55e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe [2360:2376] 0000000004162520 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:1156] 000007fef5d1cc10 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:1044] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2460] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2468] 000007fef5cef718 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2436] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2492] 000007fef6216050 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2168] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:892] 000007fefbee2a7c Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:912] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:888] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:884] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:900] 000007fef5bd143c Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2408] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2372] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:2684] 000007fef5bdb564 Thread C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064:3356] 000007fef5bdb564 ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe [2360] 0000000076b60000 Library ? (*** suspicious ***) @ C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2064] 000007feff3e0000 ---- EOF - GMER 2.0 ----