GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-15 13:56:31 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-6 Hitachi_HDP725050GLA360 rev.GM4OA52A 465,76GB Running: uvtuzc0q.exe; Driver: C:\Users\tomek\AppData\Local\Temp\pwtoipow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0x9172E700] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcConnectPort [0x916E1C1A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcCreatePort [0x916E1F62] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAlpcSendWaitReceivePort [0x916E23A8] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0x916CA29C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwConnectPort [0x916E18F4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0x916CA814] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0x916CA6FA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreatePort [0x916E1DC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0x91731590] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0x916CA934] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0x916F1FB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0x91730A24] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateWaitablePort [0x916E1E94] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0x9173056E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0x916CA2E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0x9172E842] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0x9172E4AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0x916F1FD0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0x916E005C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0x916CA8AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0x916CA78A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0x91730116] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0x9173183C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0x916CA9CA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0x91730780] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0x916F1FC0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryDirectoryObject [0x916CAA54] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0x916E026A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0x9173123C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0x916E218C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0x916E201A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0x916E20D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwRequestWaitReplyPort [0x916E21FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0x91730F66] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0x916E1A82] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0x917310C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0x916CAAF6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0x9172E5B4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0x917302B6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0x91730E0E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0x916CAB08] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0x91730416] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0x91730920] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0x917319A4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0x917316CE] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThreadEx [0x91730C64] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateUserProcess [0x917306C8] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 119 83EE1764 4 Bytes [00, E7, 72, 91] {ADD BH, AH; JB 0xffffff95} .text ntkrnlpa.exe!KeSetEvent + 13D 83EE1788 8 Bytes [1A, 1C, 6E, 91, 62, 1F, 6E, ...] {SBB BL, [ESI+EBP*2]; XCHG ECX, EAX; BOUND EBX, [EDI]; OUTS DX, BYTE [ESI]; XCHG ECX, EAX} .text ntkrnlpa.exe!KeSetEvent + 181 83EE17CC 4 Bytes [A8, 23, 6E, 91] {TEST AL, 0x23; OUTS DX, BYTE [ESI]; XCHG ECX, EAX} .text ntkrnlpa.exe!KeSetEvent + 1A9 83EE17F4 4 Bytes [9C, A2, 6C, 91] .text ntkrnlpa.exe!KeSetEvent + 1C1 83EE180C 4 Bytes [F4, 18, 6E, 91] {HLT ; SBB [ESI-0x6f], CH} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90809000, 0x2BFBF0, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1124] C:\Windows\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1124] ntdll.dll!NtProtectVirtualMemory 77AF4BC4 5 Bytes JMP 7311209E C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1124] C:\Windows\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1124] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1124] USER32.dll!SetScrollInfo + 7A8 764B7980 4 Bytes [BB, 30, 11, 73] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateFile + 6 77AF426A 4 Bytes [28, 60, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateFile + B 77AF426F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateKey + 6 77AF42AA 4 Bytes [68, 61, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateKey + B 77AF42AF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateMutant + 6 77AF42DA 4 Bytes [28, 62, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateMutant + B 77AF42DF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateSection + 6 77AF435A 4 Bytes [68, 62, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtCreateSection + B 77AF435F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtMapViewOfSection + 6 77AF49BA 4 Bytes [A8, 64, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtMapViewOfSection + B 77AF49BF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenFile + 6 77AF4A4A 4 Bytes [68, 60, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenFile + B 77AF4A4F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenKey + 6 77AF4A7A 4 Bytes [A8, 61, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenKey + B 77AF4A7F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenMutant + B 77AF4A9F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenProcess + 6 77AF4ACA 4 Bytes [28, 63, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenProcess + B 77AF4ACF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenProcessToken + 6 77AF4ADA 4 Bytes [68, 63, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenProcessToken + B 77AF4ADF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenProcessTokenEx + 6 77AF4AEA 4 Bytes [28, 64, 06, 00] {SUB [ESI+EAX+0x0], AH} .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenProcessTokenEx + B 77AF4AEF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenSection + 6 77AF4AFA 4 Bytes [A8, 62, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenSection + B 77AF4AFF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenThread + B 77AF4B3F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenThreadToken + B 77AF4B4F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenThreadTokenEx + 6 77AF4B5A 4 Bytes [68, 64, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtOpenThreadTokenEx + B 77AF4B5F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtQueryAttributesFile + 6 77AF4BEA 4 Bytes [A8, 60, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtQueryAttributesFile + B 77AF4BEF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtQueryFullAttributesFile + B 77AF4C9F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtSetInformationFile + 6 77AF517A 4 Bytes [28, 61, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtSetInformationFile + B 77AF517F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtSetInformationThread + 6 77AF51CA 4 Bytes [A8, 63, 06, 00] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtSetInformationThread + B 77AF51CF 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ntdll.dll!NtUnmapViewOfSection + B 77AF546F 1 Byte [E2] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] kernel32.dll!CreateProcessW 766E1BF3 5 Bytes JMP 000800B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] kernel32.dll!CreateProcessA 766E1C28 5 Bytes JMP 000800F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] kernel32.dll!OpenEventW 766FC023 5 Bytes JMP 00080070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] kernel32.dll!CreateEventW 7672B85E 5 Bytes JMP 00080030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!DeleteObject 76545A37 5 Bytes JMP 001B01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetDeviceCaps 7654617F 5 Bytes JMP 001B03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SelectObject 765462A0 5 Bytes JMP 001B05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetTextColor 7654666B 5 Bytes JMP 001B0A30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetBkMode 76546716 5 Bytes JMP 001B08F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!DeleteDC 765468CD 5 Bytes JMP 001B0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetCurrentObject 76546B58 5 Bytes JMP 001B0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetStretchBltMode 76547206 5 Bytes JMP 001B06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SaveDC 765475BA 5 Bytes JMP 001B0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!RestoreDC 76547675 5 Bytes JMP 001B0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!StretchDIBits 765478CF 5 Bytes JMP 001B0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!ExtSelectClipRgn 765479F8 5 Bytes JMP 001B02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SelectClipRgn 76547AF9 5 Bytes JMP 001B05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!MoveToEx 76547C33 5 Bytes JMP 001B0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!Rectangle 76547EA9 5 Bytes JMP 001B09B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextAlign 765482E0 5 Bytes JMP 001B0D70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetTextAlign 765485CB 5 Bytes JMP 001B09F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!ExtTextOutW 7654872B 5 Bytes JMP 001B0970 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextMetricsW 76548A81 5 Bytes JMP 001B0E30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!IntersectClipRect 76548B64 5 Bytes JMP 001B03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetClipBox 76549071 5 Bytes JMP 001B0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetICMMode 765494E7 5 Bytes JMP 001B0DB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!CreateDCW 7654A91D 5 Bytes JMP 001B00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!CreateDCA 7654AA49 5 Bytes JMP 001B00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!CreateICW 7654B2E9 5 Bytes JMP 001B0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextFaceW 7654B637 5 Bytes JMP 001B0D30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetFontData 7654BA6C 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetFontData 7654BA6C 5 Bytes JMP 001B0C70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextExtentPoint32W 7654C01A 5 Bytes JMP 001B0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetWorldTransform 7654C46A 5 Bytes JMP 001B06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!LineTo 7654C65E 5 Bytes JMP 001B0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextMetricsA 7654CCEB 5 Bytes JMP 001B0DF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!ExtTextOutA 765500A5 5 Bytes JMP 001B0930 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextExtentPoint32A 76550E58 5 Bytes JMP 001B0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!ExtEscape 765522A7 5 Bytes JMP 001B02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!Escape 765527F1 5 Bytes JMP 001B0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!ResetDCW 76553132 5 Bytes JMP 001B0AB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!EndPage 7655375E 5 Bytes JMP 001B0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetPolyFillMode 765561D3 5 Bytes JMP 001B0B30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SetMiterLimit 765562E2 5 Bytes JMP 001B0B70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetTextFaceA 7655F489 5 Bytes JMP 001B0CF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!GetGlyphOutlineW 7656A537 5 Bytes JMP 001B0CB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!CreateScalableFontResourceW 7656C993 5 Bytes JMP 001B0BB0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!AddFontResourceW 7656CD9B 5 Bytes JMP 001B0BF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!RemoveFontResourceW 7656D231 5 Bytes JMP 001B0C30 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!AbortDoc 76572E7F 5 Bytes JMP 001B0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!EndDoc 76573293 5 Bytes JMP 001B01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!StartPage 7657337E 5 Bytes JMP 001B0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!StartDocW 76573E62 5 Bytes JMP 001B07F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!BeginPath 7657461D 5 Bytes JMP 001B0830 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!SelectClipPath 76574674 5 Bytes JMP 001B0AF0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!CloseFigure 765746CF 5 Bytes JMP 001B0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!EndPath 76574726 5 Bytes JMP 001B0A70 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!StrokePath 76574958 5 Bytes JMP 001B07B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!FillPath 765749E4 5 Bytes JMP 001B0870 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!PolylineTo 76574E4D 5 Bytes JMP 001B04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!PolyBezierTo 76574EDD 5 Bytes JMP 001B04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] GDI32.dll!PolyDraw 76574F8E 5 Bytes JMP 001B08B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!SetCursor 764AD37D 5 Bytes JMP 001C0530 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!RegisterClipboardFormatW 764AD6AC 1 Byte [E9] .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!RegisterClipboardFormatW 764AD6AC 5 Bytes JMP 001C02B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!ActivateKeyboardLayout 764B478C 5 Bytes JMP 001C04F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!IsWindowVisible 764B878A 7 Bytes JMP 001C06B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!MonitorFromWindow 764B88D4 4 Bytes JMP 001C0630 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!MonitorFromWindow + 5 764B88D9 2 Bytes [CC, CC] {INT 3 ; INT 3 } .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!ScreenToClient 764B8C56 7 Bytes JMP 001C0670 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClientRect 764B8F0D 7 Bytes JMP 001C05B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetParent 764B90AA 7 Bytes JMP 001C06F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!RegisterClipboardFormatA 764BA111 5 Bytes JMP 001C02F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!PostMessageW 764BA175 5 Bytes JMP 001C05F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!MapWindowPoints 764BA30D 5 Bytes JMP 001C0570 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClipboardFormatNameA 764BA552 5 Bytes JMP 001C0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetOpenClipboardWindow 764C26A6 5 Bytes JMP 001C03F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!SetClipboardViewer 764CBA2D 5 Bytes JMP 001C04B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!IsClipboardFormatAvailable 764CC2E3 5 Bytes JMP 001C00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!CloseClipboard 764CC2F7 5 Bytes JMP 001C00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!OpenClipboard 764CC31D 5 Bytes JMP 001C0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetTopWindow 764CCE0A 7 Bytes JMP 001C0730 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClipboardSequenceNumber 764CD8B7 5 Bytes JMP 001C0330 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!ChangeClipboardChain 764CDF83 5 Bytes JMP 001C0430 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!CountClipboardFormats 764D0048 5 Bytes JMP 001C01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClipboardOwner 764D26EF 5 Bytes JMP 001C0370 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!SetClipboardData 764E6410 5 Bytes JMP 001C0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!EnumClipboardFormats 764E6D16 5 Bytes JMP 001C01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!SetCursorPos 764E6FB2 5 Bytes JMP 001C0770 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClipboardData 764E715A 5 Bytes JMP 001C0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClipboardFormatNameW 764EA99F 5 Bytes JMP 001C0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!EmptyClipboard 7650398B 5 Bytes JMP 001C0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetClipboardViewer 765039ED 5 Bytes JMP 001C0470 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] USER32.dll!GetPriorityClipboardFormat 76503AEF 5 Bytes JMP 001C03B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ole32.dll!OleGetClipboard 778974C9 5 Bytes JMP 001D00B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ole32.dll!OleSetClipboard 778C11E3 5 Bytes JMP 001D0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] ole32.dll!OleIsCurrentClipboard 778CA8F9 5 Bytes JMP 001D0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!FreeContextBuffer 75FE2D83 5 Bytes JMP 001F00F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!DeleteSecurityContext 75FE2F18 5 Bytes JMP 001F0270 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!FreeCredentialsHandle 75FE3598 5 Bytes JMP 001F0130 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!EncryptMessage 75FE3745 5 Bytes JMP 001F01F0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!DecryptMessage 75FE3813 5 Bytes JMP 001F0230 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!InitializeSecurityContextA 75FE87DF 5 Bytes JMP 001F0170 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!AcquireCredentialsHandleA 75FE8A43 5 Bytes JMP 001F0030 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!QueryContextAttributesA 75FE8E77 5 Bytes JMP 001F0070 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!ApplyControlToken 75FEDE4F 5 Bytes JMP 001F01B0 .text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_9_900_170.exe[1852] Secur32.dll!QueryCredentialsAttributesA 75FEE052 5 Bytes JMP 001F00B0 ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2500] C:\Windows\system32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2500] ntdll.dll!NtProtectVirtualMemory 77AF4BC4 5 Bytes JMP 7311209E C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2500] C:\Windows\system32\kernel32.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2500] C:\Windows\system32\ole32.dll time/date stamp mismatch; unknown module: MPR.dllunknown module: msiltcfg.dllunknown module: CLBCatQ.DLLunknown module: OLEAUT32.dllunknown module: imagehlp.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2500] USER32.dll!SetScrollInfo + 7A8 764B7980 4 Bytes [BB, 30, 11, 73] .text C:\Program Files\Mozilla Firefox\firefox.exe[4068] ntdll.dll!LdrLoadDll 77AB9378 5 Bytes JMP 6273E210 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4068] kernel32.dll!HeapSetInformation + 26 7670A8B0 7 Bytes JMP 62742C10 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4068] kernel32.dll!LockResource + C 76726ACB 7 Bytes JMP 62F022AA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4068] kernel32.dll!VirtualAllocEx + 54 7672AF50 7 Bytes JMP 62F022CD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4068] GDI32.dll!SetStretchBltMode + 256 7654745C 7 Bytes JMP 62F0222B C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74967817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [749AB4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7496BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7495F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749675E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7495E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [749973F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7496DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7495FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7495FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749571CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [749ECB00] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7498C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7495D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74956853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7495687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[2008] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74962AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp kltdi.sys AttachedDevice \Driver\tdx \Device\Udp kltdi.sys AttachedDevice \Driver\tdx \Device\RawIp kltdi.sys ---- EOF - GMER 2.1 ----