GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-29 22:18:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS725050A9A364 rev.PC4OC72E 465,76GB Running: 75xgi2rm.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kwrdipog.sys ---- User code sections - GMER 2.0 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075541401 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075541419 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075541431 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007554144a 2 bytes [54, 75] .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755414dd 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755414f5 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007554150d 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075541525 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007554153d 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075541555 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007554156d 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075541585 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007554159d 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755415b5 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755415cd 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755416b2 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755416bd 2 bytes [54, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 000000006b9911a8 2 bytes [99, 6B] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000006b99127d 2 bytes [99, 6B] .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 000000006b9913a8 2 bytes [99, 6B] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 000000006b991422 2 bytes [99, 6B] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2508] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 000000006b991498 2 bytes [99, 6B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075541401 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075541419 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075541431 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007554144a 2 bytes [54, 75] .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755414dd 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755414f5 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007554150d 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075541525 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007554153d 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075541555 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007554156d 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075541585 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007554159d 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755415b5 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755415cd 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755416b2 2 bytes [54, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755416bd 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075541401 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075541419 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075541431 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007554144a 2 bytes [54, 75] .text ... * 9 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755414dd 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755414f5 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007554150d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075541525 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007554153d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075541555 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007554156d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075541585 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007554159d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755415b5 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755415cd 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755416b2 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[3992] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755416bd 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077def991 8 bytes {MOV EDX, 0x903e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 0000000077def99b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 0000000077defa0d 8 bytes {MOV EDX, 0x901a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 15 0000000077defa17 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 0000000077defb25 8 bytes {MOV EDX, 0x90168; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 15 0000000077defb2f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077defbd5 8 bytes {MOV EDX, 0x90428; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 0000000077defbdf 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077defc05 8 bytes {MOV EDX, 0x90368; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 0000000077defc0f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077defc1d 8 bytes {MOV EDX, 0x90128; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 0000000077defc27 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077defc35 8 bytes {MOV EDX, 0x904e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 0000000077defc3f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077defc65 8 bytes {MOV EDX, 0x90528; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 0000000077defc6f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077defce5 8 bytes {MOV EDX, 0x904a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 0000000077defcef 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077defcfd 8 bytes {MOV EDX, 0x90468; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 0000000077defd07 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077defd49 8 bytes {MOV EDX, 0x90068; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 0000000077defd53 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 5 0000000077defdad 8 bytes {MOV EDX, 0x902e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 15 0000000077defdb7 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077defe41 8 bytes {MOV EDX, 0x900a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 0000000077defe4b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 0000000077deff89 8 bytes {MOV EDX, 0x902a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 15 0000000077deff93 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077df0099 8 bytes {MOV EDX, 0x90028; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 0000000077df00a3 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 0000000077df0781 8 bytes {MOV EDX, 0x90268; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 0000000077df078b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 0000000077df0ffd 8 bytes {MOV EDX, 0x901e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 0000000077df1007 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 0000000077df105d 8 bytes {MOV EDX, 0x90228; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 0000000077df1067 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077df10a5 8 bytes {MOV EDX, 0x903a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 0000000077df10af 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077df111d 8 bytes {MOV EDX, 0x90328; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 0000000077df1127 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077df1321 8 bytes {MOV EDX, 0x900e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 0000000077df132b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessW 000000007567103d 5 bytes JMP 0000000100010030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000075671072 5 bytes JMP 0000000100010070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW 0000000075580793 5 bytes JMP 0000000100020030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW 00000000755807c3 5 bytes JMP 0000000100020070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetDeviceCaps 0000000076344de0 5 bytes JMP 00000001000f03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SelectObject 0000000076344f70 5 bytes JMP 00000001000f05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetBkMode 00000000763451a2 5 bytes JMP 00000001000f08f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetTextColor 000000007634522d 5 bytes JMP 00000001000f0a30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!DeleteObject 0000000076345689 5 bytes JMP 00000001000f01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000763458b3 5 bytes JMP 00000001000f0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetCurrentObject 0000000076346bad 5 bytes JMP 00000001000f0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SaveDC 0000000076346e05 5 bytes JMP 00000001000f0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!RestoreDC 0000000076346ead 5 bytes JMP 00000001000f0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetStretchBltMode 0000000076347180 5 bytes JMP 00000001000f06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!StretchDIBits 0000000076347435 5 bytes JMP 00000001000f0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000076347bcc 5 bytes JMP 00000001000f00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!IntersectClipRect 0000000076347dc4 5 bytes JMP 00000001000f03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextAlign 0000000076347fd5 5 bytes JMP 00000001000f0d70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextMetricsW 00000000763482b2 5 bytes JMP 00000001000f0e30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetTextAlign 0000000076348401 5 bytes JMP 00000001000f09f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!ExtSelectClipRgn 000000007634879f 5 bytes JMP 00000001000f02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SelectClipRgn 0000000076348916 5 bytes JMP 00000001000f05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000076348b7a 5 bytes JMP 00000001000f0970 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!MoveToEx 0000000076348ee6 5 bytes JMP 00000001000f0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetFontData 0000000076349875 5 bytes JMP 00000001000f0c70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextFaceW 0000000076349936 5 bytes JMP 00000001000f0d30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!Rectangle 000000007634a53a 5 bytes JMP 00000001000f09b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetClipBox 000000007634af9f 5 bytes JMP 00000001000f0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!LineTo 000000007634b9e5 5 bytes JMP 00000001000f0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetICMMode 000000007634bd55 5 bytes JMP 00000001000f0db0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateICW 000000007634c040 5 bytes JMP 00000001000f0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32W 000000007634c107 5 bytes JMP 00000001000f0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetWorldTransform 000000007634c269 5 bytes JMP 00000001000f06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextMetricsA 000000007634d1f1 5 bytes JMP 00000001000f0df0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32A 000000007634d349 5 bytes JMP 00000001000f0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!ExtTextOutA 000000007634dce4 5 bytes JMP 00000001000f0930 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007634e743 5 bytes JMP 00000001000f00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!ExtEscape 00000000763503b7 5 bytes JMP 00000001000f02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!Escape 0000000076351bda 5 bytes JMP 00000001000f0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetTextFaceA 0000000076351e89 5 bytes JMP 00000001000f0cf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetPolyFillMode 0000000076354843 5 bytes JMP 00000001000f0b30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SetMiterLimit 0000000076355690 5 bytes JMP 00000001000f0b70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!EndPage 0000000076356bde 5 bytes JMP 00000001000f0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!ResetDCW 000000007635e2db 5 bytes JMP 00000001000f0ab0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!GetGlyphOutlineW 000000007636940d 5 bytes JMP 00000001000f0cb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!CreateScalableFontResourceW 000000007636c621 5 bytes JMP 00000001000f0bb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 000000007636d2b2 5 bytes JMP 00000001000f0bf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!RemoveFontResourceW 000000007636d919 5 bytes JMP 00000001000f0c30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!AbortDoc 0000000076373adc 5 bytes JMP 00000001000f0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!EndDoc 0000000076373f29 5 bytes JMP 00000001000f01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!StartPage 000000007637401a 5 bytes JMP 00000001000f0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!StartDocW 0000000076374c51 5 bytes JMP 00000001000f07f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!BeginPath 00000000763753fd 5 bytes JMP 00000001000f0830 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!SelectClipPath 0000000076375454 5 bytes JMP 00000001000f0af0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!CloseFigure 00000000763754af 5 bytes JMP 00000001000f0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!EndPath 0000000076375506 5 bytes JMP 00000001000f0a70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!StrokePath 000000007637573f 5 bytes JMP 00000001000f07b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!FillPath 00000000763757d2 5 bytes JMP 00000001000f0870 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!PolylineTo 0000000076375c44 5 bytes JMP 00000001000f04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!PolyBezierTo 0000000076375cd5 5 bytes JMP 00000001000f04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\GDI32.dll!PolyDraw 0000000076375d87 5 bytes JMP 00000001000f08b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!MapWindowPoints 0000000075af8c40 5 bytes JMP 0000000100100570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075af9ebd 5 bytes JMP 00000001001002b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075b00afa 5 bytes JMP 00000001001002f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClientRect 0000000075b00c62 7 bytes JMP 00000001001005b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetParent 0000000075b00f68 7 bytes JMP 00000001001006f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!IsWindowVisible 0000000075b0112d 7 bytes JMP 00000001001006b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075b012a5 5 bytes JMP 00000001001005f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!ScreenToClient 0000000075b0227d 7 bytes JMP 0000000100100670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!MonitorFromWindow 0000000075b03150 7 bytes JMP 0000000100100630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!SetCursor 0000000075b041f6 5 bytes JMP 0000000100100530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameA 0000000075b068ef 5 bytes JMP 0000000100100270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameW 0000000075b077fa 5 bytes JMP 0000000100100230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetTopWindow 0000000075b07887 7 bytes JMP 0000000100100730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!IsClipboardFormatAvailable 0000000075b08676 5 bytes JMP 00000001001000f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardSequenceNumber 0000000075b08696 5 bytes JMP 0000000100100330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!CloseClipboard 0000000075b08e8d 5 bytes JMP 00000001001000b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!OpenClipboard 0000000075b08ecb 5 bytes JMP 0000000100100070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!ChangeClipboardChain 0000000075b0c17b 5 bytes JMP 0000000100100430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!EnumClipboardFormats 0000000075b0c449 5 bytes JMP 00000001001001b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetOpenClipboardWindow 0000000075b0c468 5 bytes JMP 00000001001003f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!CountClipboardFormats 0000000075b0c486 5 bytes JMP 00000001001001f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075b0c4b6 5 bytes JMP 00000001001004b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!ActivateKeyboardLayout 0000000075b0d6c0 5 bytes JMP 00000001001004f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardOwner 0000000075b0e360 5 bytes JMP 0000000100100370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000075b38e57 5 bytes JMP 0000000100100170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000075b39cfd 5 bytes JMP 0000000100100770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075b39f1d 5 bytes JMP 0000000100100030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!EmptyClipboard 0000000075b57cb9 5 bytes JMP 0000000100100130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetClipboardViewer 0000000075b58111 5 bytes JMP 0000000100100470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\USER32.dll!GetPriorityClipboardFormat 0000000075b5832f 5 bytes JMP 00000001001003b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!FreeContextBuffer 00000000754c9606 5 bytes JMP 00000001002100f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle 00000000754d0581 5 bytes JMP 0000000100210130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext 00000000754d0bb9 5 bytes JMP 0000000100210270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken 00000000754d0c2e 5 bytes JMP 00000001002101b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA 00000000754d0f2e 5 bytes JMP 0000000100210070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 00000000754d1096 5 bytes JMP 00000001002100b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 00000000754d124e 5 bytes JMP 00000001002101f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 00000000754d129d 5 bytes JMP 0000000100210230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 00000000754d1527 5 bytes JMP 0000000100210030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA 00000000754d1590 5 bytes JMP 0000000100210170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\ole32.dll!OleSetClipboard 00000000759d0045 5 bytes JMP 00000001002d0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\ole32.dll!OleIsCurrentClipboard 00000000759d36b2 5 bytes JMP 00000001002d0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\ole32.dll!OleGetClipboard 00000000759ffdcd 5 bytes JMP 00000001002d00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075541401 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075541419 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075541431 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007554144a 2 bytes [54, 75] .text ... * 9 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755414dd 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755414f5 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007554150d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075541525 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007554153d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075541555 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007554156d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075541585 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007554159d 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755415b5 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755415cd 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755416b2 2 bytes [54, 75] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_5_502_146.exe[4704] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755416bd 2 bytes [54, 75] ---- Threads - GMER 2.0 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1072:3356] 000007fefc612a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1072:3372] 000007fef261d618 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027139b23b0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027139b23b0@bcb1f37bfb89 0xB0 0x57 0x39 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7D 0x44 0xE0 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027139b23b0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027139b23b0@bcb1f37bfb89 0xB0 0x57 0x39 0x0E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7D 0x44 0xE0 0xFE ... ---- EOF - GMER 2.0 ----